aws-sdk-kms 1.22.0 → 1.27.0
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/lib/aws-sdk-kms.rb +1 -1
- data/lib/aws-sdk-kms/client.rb +1659 -365
- data/lib/aws-sdk-kms/client_api.rb +193 -0
- data/lib/aws-sdk-kms/errors.rb +32 -0
- data/lib/aws-sdk-kms/types.rb +1074 -105
- metadata +4 -4
checksums.yaml
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
---
|
2
2
|
SHA1:
|
3
|
-
metadata.gz:
|
4
|
-
data.tar.gz:
|
3
|
+
metadata.gz: 6a983aaa03a80ed7188f61a1bab13d7bcddf5701
|
4
|
+
data.tar.gz: 155fd553e0ddd8cb820d3f1b4e8f051177446d1f
|
5
5
|
SHA512:
|
6
|
-
metadata.gz:
|
7
|
-
data.tar.gz:
|
6
|
+
metadata.gz: 39eb4bc0cfd2bb7b6cd062d5b1b54052edf5868d720bae9f20359a75b8c84721b676e20444e4454b446b576ea5009ff5d5b3259094d82a0d8eb758abd27af195
|
7
|
+
data.tar.gz: 0fd429e969b0ba7461822783be9b7ea9e77239e021ff189bdeb729327ff2179b887009eacdd77d237f32ae622851fd483cb539fe69717f9d670799e779731741
|
data/lib/aws-sdk-kms.rb
CHANGED
data/lib/aws-sdk-kms/client.rb
CHANGED
@@ -265,17 +265,17 @@ module Aws::KMS
|
|
265
265
|
# @!group API Operations
|
266
266
|
|
267
267
|
# Cancels the deletion of a customer master key (CMK). When this
|
268
|
-
# operation
|
269
|
-
#
|
270
|
-
#
|
268
|
+
# operation succeeds, the key state of the CMK is `Disabled`. To enable
|
269
|
+
# the CMK, use EnableKey. You cannot perform this operation on a CMK in
|
270
|
+
# a different AWS account.
|
271
271
|
#
|
272
272
|
# For more information about scheduling and canceling deletion of a CMK,
|
273
273
|
# see [Deleting Customer Master Keys][1] in the *AWS Key Management
|
274
274
|
# Service Developer Guide*.
|
275
275
|
#
|
276
|
-
# The
|
277
|
-
# details, see [How Key State Affects Use of a Customer
|
278
|
-
# in the *AWS Key Management Service Developer Guide*.
|
276
|
+
# The CMK that you use for this operation must be in a compatible key
|
277
|
+
# state. For details, see [How Key State Affects Use of a Customer
|
278
|
+
# Master Key][2] in the *AWS Key Management Service Developer Guide*.
|
279
279
|
#
|
280
280
|
#
|
281
281
|
#
|
@@ -405,39 +405,78 @@ module Aws::KMS
|
|
405
405
|
end
|
406
406
|
|
407
407
|
# Creates a display name for a customer managed customer master key
|
408
|
-
# (CMK). You can use an alias to identify a CMK in
|
409
|
-
# such as Encrypt and GenerateDataKey.
|
410
|
-
#
|
411
|
-
#
|
412
|
-
#
|
413
|
-
# simplify
|
414
|
-
#
|
408
|
+
# (CMK). You can use an alias to identify a CMK in cryptographic
|
409
|
+
# operations, such as Encrypt and GenerateDataKey. You can change the
|
410
|
+
# CMK associated with the alias at any time.
|
411
|
+
#
|
412
|
+
# Aliases are easier to remember than key IDs. They can also help to
|
413
|
+
# simplify your applications. For example, if you use an alias in your
|
414
|
+
# code, you can change the CMK your code uses by associating a given
|
415
|
+
# alias with a different CMK.
|
416
|
+
#
|
417
|
+
# To run the same code in multiple AWS regions, use an alias in your
|
418
|
+
# code, such as `alias/ApplicationKey`. Then, in each AWS Region, create
|
419
|
+
# an `alias/ApplicationKey` alias that is associated with a CMK in that
|
420
|
+
# Region. When you run your code, it uses the `alias/ApplicationKey` CMK
|
421
|
+
# for that AWS Region without any Region-specific code.
|
422
|
+
#
|
423
|
+
# This operation does not return a response. To get the alias that you
|
424
|
+
# created, use the ListAliases operation.
|
425
|
+
#
|
426
|
+
# To use aliases successfully, be aware of the following information.
|
427
|
+
#
|
428
|
+
# * Each alias points to only one CMK at a time, although a single CMK
|
429
|
+
# can have multiple aliases. The alias and its associated CMK must be
|
430
|
+
# in the same AWS account and Region.
|
431
|
+
#
|
432
|
+
# * You can associate an alias with any customer managed CMK in the same
|
433
|
+
# AWS account and Region. However, you do not have permission to
|
434
|
+
# associate an alias with an [AWS managed CMK][1] or an [AWS owned
|
435
|
+
# CMK][2].
|
436
|
+
#
|
437
|
+
# * To change the CMK associated with an alias, use the UpdateAlias
|
438
|
+
# operation. The current CMK and the new CMK must be the same type
|
439
|
+
# (both symmetric or both asymmetric) and they must have the same key
|
440
|
+
# usage (`ENCRYPT_DECRYPT` or `SIGN_VERIFY`). This restriction
|
441
|
+
# prevents cryptographic errors in code that uses aliases.
|
442
|
+
#
|
443
|
+
# * The alias name must begin with `alias/` followed by a name, such as
|
444
|
+
# `alias/ExampleAlias`. It can contain only alphanumeric characters,
|
445
|
+
# forward slashes (/), underscores (\_), and dashes (-). The alias
|
446
|
+
# name cannot begin with `alias/aws/`. The `alias/aws/` prefix is
|
447
|
+
# reserved for [AWS managed CMKs][1].
|
448
|
+
#
|
449
|
+
# * The alias name must be unique within an AWS Region. However, you can
|
450
|
+
# use the same alias name in multiple Regions of the same AWS account.
|
451
|
+
# Each instance of the alias is associated with a CMK in its Region.
|
452
|
+
#
|
453
|
+
# * After you create an alias, you cannot change its alias name.
|
454
|
+
# However, you can use the DeleteAlias operation to delete the alias
|
455
|
+
# and then create a new alias with the desired name.
|
456
|
+
#
|
457
|
+
# * You can use an alias name or alias ARN to identify a CMK in AWS KMS
|
458
|
+
# cryptographic operations and in the DescribeKey operation. However,
|
459
|
+
# you cannot use alias names or alias ARNs in API operations that
|
460
|
+
# manage CMKs, such as DisableKey or GetKeyPolicy. For information
|
461
|
+
# about the valid CMK identifiers for each AWS KMS API operation, see
|
462
|
+
# the descriptions of the `KeyId` parameter in the API operation
|
463
|
+
# documentation.
|
415
464
|
#
|
416
465
|
# Because an alias is not a property of a CMK, you can delete and change
|
417
466
|
# the aliases of a CMK without affecting the CMK. Also, aliases do not
|
418
467
|
# appear in the response from the DescribeKey operation. To get the
|
419
|
-
# aliases of
|
420
|
-
#
|
421
|
-
# The alias name must begin with `alias/` followed by a name, such as
|
422
|
-
# `alias/ExampleAlias`. It can contain only alphanumeric characters,
|
423
|
-
# forward slashes (/), underscores (\_), and dashes (-). The alias name
|
424
|
-
# cannot begin with `alias/aws/`. The `alias/aws/` prefix is reserved
|
425
|
-
# for [AWS managed CMKs][1].
|
426
|
-
#
|
427
|
-
# The alias and the CMK it is mapped to must be in the same AWS account
|
428
|
-
# and the same region. You cannot perform this operation on an alias in
|
429
|
-
# a different AWS account.
|
468
|
+
# aliases and alias ARNs of CMKs in each AWS account and Region, use the
|
469
|
+
# ListAliases operation.
|
430
470
|
#
|
431
|
-
#
|
432
|
-
#
|
433
|
-
#
|
434
|
-
# details, see [How Key State Affects Use of a Customer Master Key][2]
|
435
|
-
# in the *AWS Key Management Service Developer Guide*.
|
471
|
+
# The CMK that you use for this operation must be in a compatible key
|
472
|
+
# state. For details, see [How Key State Affects Use of a Customer
|
473
|
+
# Master Key][3] in the *AWS Key Management Service Developer Guide*.
|
436
474
|
#
|
437
475
|
#
|
438
476
|
#
|
439
477
|
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#aws-managed-cmk
|
440
|
-
# [2]: https://docs.aws.amazon.com/kms/latest/developerguide/
|
478
|
+
# [2]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#aws-owned-cmk
|
479
|
+
# [3]: https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html
|
441
480
|
#
|
442
481
|
# @option params [required, String] :alias_name
|
443
482
|
# Specifies the alias name. This value must begin with `alias/` followed
|
@@ -581,23 +620,58 @@ module Aws::KMS
|
|
581
620
|
# key policies.
|
582
621
|
#
|
583
622
|
# To create a grant that allows a cryptographic operation only when the
|
584
|
-
#
|
585
|
-
#
|
586
|
-
#
|
623
|
+
# request includes a particular [encryption context][1], use the
|
624
|
+
# `Constraints` parameter. For details, see GrantConstraints.
|
625
|
+
#
|
626
|
+
# You can create grants on symmetric and asymmetric CMKs. However, if
|
627
|
+
# the grant allows an operation that the CMK does not support,
|
628
|
+
# `CreateGrant` fails with a `ValidationException`.
|
629
|
+
#
|
630
|
+
# * Grants for symmetric CMKs cannot allow operations that are not
|
631
|
+
# supported for symmetric CMKs, including Sign, Verify, and
|
632
|
+
# GetPublicKey. (There are limited exceptions to this rule for legacy
|
633
|
+
# operations, but you should not create a grant for an operation that
|
634
|
+
# AWS KMS does not support.)
|
635
|
+
#
|
636
|
+
# * Grants for asymmetric CMKs cannot allow operations that are not
|
637
|
+
# supported for asymmetric CMKs, including operations that [generate
|
638
|
+
# data keys][2] or [data key pairs][3], or operations related to
|
639
|
+
# [automatic key rotation][4], [imported key material][5], or CMKs in
|
640
|
+
# [custom key stores][6].
|
641
|
+
#
|
642
|
+
# * Grants for asymmetric CMKs with a `KeyUsage` of `ENCRYPT_DECRYPT`
|
643
|
+
# cannot allow the Sign or Verify operations. Grants for asymmetric
|
644
|
+
# CMKs with a `KeyUsage` of `SIGN_VERIFY` cannot allow the Encrypt or
|
645
|
+
# Decrypt operations.
|
646
|
+
#
|
647
|
+
# * Grants for asymmetric CMKs cannot include an encryption context
|
648
|
+
# grant constraint. An encryption context is not supported on
|
649
|
+
# asymmetric CMKs.
|
650
|
+
#
|
651
|
+
# For information about symmetric and asymmetric CMKs, see [Using
|
652
|
+
# Symmetric and Asymmetric CMKs][7] in the *AWS Key Management Service
|
653
|
+
# Developer Guide*.
|
587
654
|
#
|
588
655
|
# To perform this operation on a CMK in a different AWS account, specify
|
589
656
|
# the key ARN in the value of the `KeyId` parameter. For more
|
590
|
-
# information about grants, see [Grants][
|
657
|
+
# information about grants, see [Grants][8] in the <i> <i>AWS Key
|
591
658
|
# Management Service Developer Guide</i> </i>.
|
592
659
|
#
|
593
|
-
# The
|
594
|
-
# details, see [How Key State Affects Use of a Customer
|
595
|
-
# in the *AWS Key Management Service Developer Guide*.
|
660
|
+
# The CMK that you use for this operation must be in a compatible key
|
661
|
+
# state. For details, see [How Key State Affects Use of a Customer
|
662
|
+
# Master Key][9] in the *AWS Key Management Service Developer Guide*.
|
596
663
|
#
|
597
664
|
#
|
598
665
|
#
|
599
|
-
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/
|
600
|
-
# [2]: https://docs.aws.amazon.com/kms/latest/
|
666
|
+
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#encrypt_context
|
667
|
+
# [2]: https://docs.aws.amazon.com/kms/latest/APIReference/API_GenerateDataKey
|
668
|
+
# [3]: https://docs.aws.amazon.com/kms/latest/APIReference/API_GenerateDataKeyPair
|
669
|
+
# [4]: https://docs.aws.amazon.com/kms/latest/developerguide/rotate-keys.html
|
670
|
+
# [5]: https://docs.aws.amazon.com/kms/latest/developerguide/importing-keys.html
|
671
|
+
# [6]: https://docs.aws.amazon.com/kms/latest/developerguide/custom-key-store-overview.html
|
672
|
+
# [7]: https://docs.aws.amazon.com/kms/latest/developerguide/symmetric-asymmetric.html
|
673
|
+
# [8]: https://docs.aws.amazon.com/kms/latest/developerguide/grants.html
|
674
|
+
# [9]: https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html
|
601
675
|
#
|
602
676
|
# @option params [required, String] :key_id
|
603
677
|
# The unique identifier for the customer master key (CMK) that the grant
|
@@ -720,7 +794,7 @@ module Aws::KMS
|
|
720
794
|
# key_id: "KeyIdType", # required
|
721
795
|
# grantee_principal: "PrincipalIdType", # required
|
722
796
|
# retiring_principal: "PrincipalIdType",
|
723
|
-
# operations: ["Decrypt"], # required, accepts Decrypt, Encrypt, GenerateDataKey, GenerateDataKeyWithoutPlaintext, ReEncryptFrom, ReEncryptTo, CreateGrant, RetireGrant, DescribeKey
|
797
|
+
# operations: ["Decrypt"], # required, accepts Decrypt, Encrypt, GenerateDataKey, GenerateDataKeyWithoutPlaintext, ReEncryptFrom, ReEncryptTo, Sign, Verify, GetPublicKey, CreateGrant, RetireGrant, DescribeKey, GenerateDataKeyPair, GenerateDataKeyPairWithoutPlaintext
|
724
798
|
# constraints: {
|
725
799
|
# encryption_context_subset: {
|
726
800
|
# "EncryptionContextKey" => "EncryptionContextValue",
|
@@ -747,31 +821,89 @@ module Aws::KMS
|
|
747
821
|
req.send_request(options)
|
748
822
|
end
|
749
823
|
|
750
|
-
# Creates a customer managed [customer master key][1] (CMK) in
|
751
|
-
# account.
|
824
|
+
# Creates a unique customer managed [customer master key][1] (CMK) in
|
825
|
+
# your AWS account and Region. You cannot use this operation to create a
|
826
|
+
# CMK in a different AWS account.
|
752
827
|
#
|
753
|
-
# You can use
|
754
|
-
#
|
755
|
-
#
|
828
|
+
# You can use the `CreateKey` operation to create symmetric or
|
829
|
+
# asymmetric CMKs.
|
830
|
+
#
|
831
|
+
# * **Symmetric CMKs** contain a 256-bit symmetric key that never leaves
|
832
|
+
# AWS KMS unencrypted. To use the CMK, you must call AWS KMS. You can
|
833
|
+
# use a symmetric CMK to encrypt and decrypt small amounts of data,
|
834
|
+
# but they are typically used to generate [data keys][2] or data key
|
835
|
+
# pairs. For details, see GenerateDataKey and GenerateDataKeyPair.
|
836
|
+
#
|
837
|
+
# * **Asymmetric CMKs** can contain an RSA key pair or an Elliptic Curve
|
838
|
+
# (ECC) key pair. The private key in an asymmetric CMK never leaves
|
839
|
+
# AWS KMS unencrypted. However, you can use the GetPublicKey operation
|
840
|
+
# to download the public key so it can be used outside of AWS KMS.
|
841
|
+
# CMKs with RSA key pairs can be used to encrypt or decrypt data or
|
842
|
+
# sign and verify messages (but not both). CMKs with ECC key pairs can
|
843
|
+
# be used only to sign and verify messages.
|
844
|
+
#
|
845
|
+
# For information about symmetric and asymmetric CMKs, see [Using
|
846
|
+
# Symmetric and Asymmetric CMKs][3] in the *AWS Key Management Service
|
847
|
+
# Developer Guide*.
|
756
848
|
#
|
757
|
-
# To create
|
758
|
-
# with a value of `EXTERNAL`.
|
849
|
+
# To create different types of CMKs, use the following guidance:
|
759
850
|
#
|
760
|
-
#
|
761
|
-
# parameter to specify the custom key store. You must also use the
|
762
|
-
# `Origin` parameter with a value of `AWS_CLOUDHSM`. The AWS CloudHSM
|
763
|
-
# cluster that is associated with the custom key store must have at
|
764
|
-
# least two active HSMs in different Availability Zones in the AWS
|
765
|
-
# Region.
|
851
|
+
# Asymmetric CMKs
|
766
852
|
#
|
767
|
-
#
|
768
|
-
#
|
853
|
+
# : To create an asymmetric CMK, use the `CustomerMasterKeySpec`
|
854
|
+
# parameter to specify the type of key material in the CMK. Then, use
|
855
|
+
# the `KeyUsage` parameter to determine whether the CMK will be used
|
856
|
+
# to encrypt and decrypt or sign and verify. You can't change these
|
857
|
+
# properties after the CMK is created.
|
858
|
+
#
|
859
|
+
#
|
860
|
+
#
|
861
|
+
# Symmetric CMKs
|
862
|
+
#
|
863
|
+
# : When creating a symmetric CMK, you don't need to specify the
|
864
|
+
# `CustomerMasterKeySpec` or `KeyUsage` parameters. The default value
|
865
|
+
# for `CustomerMasterKeySpec`, `SYMMETRIC_DEFAULT`, and the default
|
866
|
+
# value for `KeyUsage`, `ENCRYPT_DECRYPT`, are the only valid values
|
867
|
+
# for symmetric CMKs.
|
868
|
+
#
|
869
|
+
#
|
870
|
+
#
|
871
|
+
# Imported Key Material
|
872
|
+
#
|
873
|
+
# : To import your own key material, begin by creating a symmetric CMK
|
874
|
+
# with no key material. To do this, use the `Origin` parameter of
|
875
|
+
# `CreateKey` with a value of `EXTERNAL`. Next, use
|
876
|
+
# GetParametersForImport operation to get a public key and import
|
877
|
+
# token, and use the public key to encrypt your key material. Then,
|
878
|
+
# use ImportKeyMaterial with your import token to import the key
|
879
|
+
# material. For step-by-step instructions, see [Importing Key
|
880
|
+
# Material][4] in the <i> <i>AWS Key Management Service Developer
|
881
|
+
# Guide</i> </i>. You cannot import the key material into an
|
882
|
+
# asymmetric CMK.
|
883
|
+
#
|
884
|
+
#
|
885
|
+
#
|
886
|
+
# Custom Key Stores
|
887
|
+
#
|
888
|
+
# : To create a symmetric CMK in a [custom key store][5], use the
|
889
|
+
# `CustomKeyStoreId` parameter to specify the custom key store. You
|
890
|
+
# must also use the `Origin` parameter with a value of `AWS_CLOUDHSM`.
|
891
|
+
# The AWS CloudHSM cluster that is associated with the custom key
|
892
|
+
# store must have at least two active HSMs in different Availability
|
893
|
+
# Zones in the AWS Region.
|
894
|
+
#
|
895
|
+
# You cannot create an asymmetric CMK in a custom key store. For
|
896
|
+
# information about custom key stores in AWS KMS see [Using Custom Key
|
897
|
+
# Stores][5] in the <i> <i>AWS Key Management Service Developer
|
898
|
+
# Guide</i> </i>.
|
769
899
|
#
|
770
900
|
#
|
771
901
|
#
|
772
|
-
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#
|
902
|
+
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#master-keys
|
773
903
|
# [2]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#data-keys
|
774
|
-
# [3]: https://docs.aws.amazon.com/kms/latest/developerguide/
|
904
|
+
# [3]: https://docs.aws.amazon.com/kms/latest/developerguide/symmetric-asymmetric.html
|
905
|
+
# [4]: https://docs.aws.amazon.com/kms/latest/developerguide/importing-keys.html
|
906
|
+
# [5]: https://docs.aws.amazon.com/kms/latest/developerguide/custom-key-store-overview.html
|
775
907
|
#
|
776
908
|
# @option params [String] :policy
|
777
909
|
# The key policy to attach to the CMK.
|
@@ -814,27 +946,87 @@ module Aws::KMS
|
|
814
946
|
# for a task.
|
815
947
|
#
|
816
948
|
# @option params [String] :key_usage
|
817
|
-
#
|
818
|
-
#
|
819
|
-
#
|
949
|
+
# Determines the cryptographic operations for which you can use the CMK.
|
950
|
+
# The default value is `ENCRYPT_DECRYPT`. This parameter is required
|
951
|
+
# only for asymmetric CMKs. You can't change the `KeyUsage` value after
|
952
|
+
# the CMK is created.
|
953
|
+
#
|
954
|
+
# Select only one valid value.
|
955
|
+
#
|
956
|
+
# * For symmetric CMKs, omit the parameter or specify `ENCRYPT_DECRYPT`.
|
957
|
+
#
|
958
|
+
# * For asymmetric CMKs with RSA key material, specify `ENCRYPT_DECRYPT`
|
959
|
+
# or `SIGN_VERIFY`.
|
960
|
+
#
|
961
|
+
# * For asymmetric CMKs with ECC key material, specify `SIGN_VERIFY`.
|
962
|
+
#
|
963
|
+
# @option params [String] :customer_master_key_spec
|
964
|
+
# Specifies the type of CMK to create. The `CustomerMasterKeySpec`
|
965
|
+
# determines whether the CMK contains a symmetric key or an asymmetric
|
966
|
+
# key pair. It also determines the encryption algorithms or signing
|
967
|
+
# algorithms that the CMK supports. You can't change the
|
968
|
+
# `CustomerMasterKeySpec` after the CMK is created. To further restrict
|
969
|
+
# the algorithms that can be used with the CMK, use its key policy or
|
970
|
+
# IAM policy.
|
971
|
+
#
|
972
|
+
# For help with choosing a key spec for your CMK, see [Selecting a
|
973
|
+
# Customer Master Key Spec][1] in the *AWS Key Management Service
|
974
|
+
# Developer Guide*.
|
975
|
+
#
|
976
|
+
# The default value, `SYMMETRIC_DEFAULT`, creates a CMK with a 256-bit
|
977
|
+
# symmetric key.
|
978
|
+
#
|
979
|
+
# AWS KMS supports the following key specs for CMKs:
|
980
|
+
#
|
981
|
+
# * Symmetric key (default)
|
982
|
+
#
|
983
|
+
# * `SYMMETRIC_DEFAULT` (AES-256-GCM)
|
984
|
+
#
|
985
|
+
# ^
|
986
|
+
#
|
987
|
+
# * Asymmetric RSA key pairs
|
988
|
+
#
|
989
|
+
# * `RSA_2048`
|
990
|
+
#
|
991
|
+
# * `RSA_3072`
|
992
|
+
#
|
993
|
+
# * `RSA_4096`
|
994
|
+
#
|
995
|
+
# * Asymmetric NIST-recommended elliptic curve key pairs
|
996
|
+
#
|
997
|
+
# * `ECC_NIST_P256` (secp256r1)
|
998
|
+
#
|
999
|
+
# * `ECC_NIST_P384` (secp384r1)
|
1000
|
+
#
|
1001
|
+
# * `ECC_NIST_P521` (secp521r1)
|
1002
|
+
#
|
1003
|
+
# * Other asymmetric elliptic curve key pairs
|
1004
|
+
#
|
1005
|
+
# * `ECC_SECG_P256K1` (secp256k1), commonly used for cryptocurrencies.
|
1006
|
+
#
|
1007
|
+
# ^
|
1008
|
+
#
|
1009
|
+
#
|
1010
|
+
#
|
1011
|
+
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/symmetric-asymmetric.html#cmk-key-spec
|
820
1012
|
#
|
821
1013
|
# @option params [String] :origin
|
822
1014
|
# The source of the key material for the CMK. You cannot change the
|
823
|
-
# origin after you create the CMK.
|
824
|
-
#
|
825
|
-
# The default is `AWS_KMS`, which means AWS KMS creates the key material
|
826
|
-
# in its own key store.
|
1015
|
+
# origin after you create the CMK. The default is `AWS_KMS`, which means
|
1016
|
+
# AWS KMS creates the key material.
|
827
1017
|
#
|
828
1018
|
# When the parameter value is `EXTERNAL`, AWS KMS creates a CMK without
|
829
1019
|
# key material so that you can import key material from your existing
|
830
1020
|
# key management infrastructure. For more information about importing
|
831
1021
|
# key material into AWS KMS, see [Importing Key Material][1] in the *AWS
|
832
|
-
# Key Management Service Developer Guide*.
|
1022
|
+
# Key Management Service Developer Guide*. This value is valid only for
|
1023
|
+
# symmetric CMKs.
|
833
1024
|
#
|
834
1025
|
# When the parameter value is `AWS_CLOUDHSM`, AWS KMS creates the CMK in
|
835
1026
|
# an AWS KMS [custom key store][2] and creates its key material in the
|
836
1027
|
# associated AWS CloudHSM cluster. You must also use the
|
837
|
-
# `CustomKeyStoreId` parameter to identify the custom key store.
|
1028
|
+
# `CustomKeyStoreId` parameter to identify the custom key store. This
|
1029
|
+
# value is valid only for symmetric CMKs.
|
838
1030
|
#
|
839
1031
|
#
|
840
1032
|
#
|
@@ -849,6 +1041,9 @@ module Aws::KMS
|
|
849
1041
|
# with the custom key store must have at least two active HSMs, each in
|
850
1042
|
# a different Availability Zone in the Region.
|
851
1043
|
#
|
1044
|
+
# This parameter is valid only for symmetric CMKs. You cannot create an
|
1045
|
+
# asymmetric CMK in a custom key store.
|
1046
|
+
#
|
852
1047
|
# To find the ID of a custom key store, use the DescribeCustomKeyStores
|
853
1048
|
# operation.
|
854
1049
|
#
|
@@ -885,13 +1080,21 @@ module Aws::KMS
|
|
885
1080
|
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/key-policies.html#key-policy-default-allow-root-enable-iam
|
886
1081
|
#
|
887
1082
|
# @option params [Array<Types::Tag>] :tags
|
888
|
-
# One or more tags. Each tag consists of a tag key and a tag value.
|
889
|
-
#
|
890
|
-
# (null)
|
1083
|
+
# One or more tags. Each tag consists of a tag key and a tag value. Both
|
1084
|
+
# the tag key and the tag value are required, but the tag value can be
|
1085
|
+
# an empty (null) string.
|
1086
|
+
#
|
1087
|
+
# When you add tags to an AWS resource, AWS generates a cost allocation
|
1088
|
+
# report with usage and costs aggregated by tags. For information about
|
1089
|
+
# adding, changing, deleting and listing tags for CMKs, see [Tagging
|
1090
|
+
# Keys][1].
|
891
1091
|
#
|
892
|
-
# Use this parameter to tag the CMK when it is created.
|
893
|
-
#
|
894
|
-
#
|
1092
|
+
# Use this parameter to tag the CMK when it is created. To add tags to
|
1093
|
+
# an existing CMK, use the TagResource operation.
|
1094
|
+
#
|
1095
|
+
#
|
1096
|
+
#
|
1097
|
+
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/tagging-keys.html
|
895
1098
|
#
|
896
1099
|
# @return [Types::CreateKeyResponse] Returns a {Seahorse::Client::Response response} object which responds to the following methods:
|
897
1100
|
#
|
@@ -932,7 +1135,8 @@ module Aws::KMS
|
|
932
1135
|
# resp = client.create_key({
|
933
1136
|
# policy: "PolicyType",
|
934
1137
|
# description: "DescriptionType",
|
935
|
-
# key_usage: "
|
1138
|
+
# key_usage: "SIGN_VERIFY", # accepts SIGN_VERIFY, ENCRYPT_DECRYPT
|
1139
|
+
# customer_master_key_spec: "RSA_2048", # accepts RSA_2048, RSA_3072, RSA_4096, ECC_NIST_P256, ECC_NIST_P384, ECC_NIST_P521, ECC_SECG_P256K1, SYMMETRIC_DEFAULT
|
936
1140
|
# origin: "AWS_KMS", # accepts AWS_KMS, EXTERNAL, AWS_CLOUDHSM
|
937
1141
|
# custom_key_store_id: "CustomKeyStoreIdType",
|
938
1142
|
# bypass_policy_lockout_safety_check: false,
|
@@ -952,7 +1156,7 @@ module Aws::KMS
|
|
952
1156
|
# resp.key_metadata.creation_date #=> Time
|
953
1157
|
# resp.key_metadata.enabled #=> Boolean
|
954
1158
|
# resp.key_metadata.description #=> String
|
955
|
-
# resp.key_metadata.key_usage #=> String, one of "ENCRYPT_DECRYPT"
|
1159
|
+
# resp.key_metadata.key_usage #=> String, one of "SIGN_VERIFY", "ENCRYPT_DECRYPT"
|
956
1160
|
# resp.key_metadata.key_state #=> String, one of "Enabled", "Disabled", "PendingDeletion", "PendingImport", "Unavailable"
|
957
1161
|
# resp.key_metadata.deletion_date #=> Time
|
958
1162
|
# resp.key_metadata.valid_to #=> Time
|
@@ -961,6 +1165,11 @@ module Aws::KMS
|
|
961
1165
|
# resp.key_metadata.cloud_hsm_cluster_id #=> String
|
962
1166
|
# resp.key_metadata.expiration_model #=> String, one of "KEY_MATERIAL_EXPIRES", "KEY_MATERIAL_DOES_NOT_EXPIRE"
|
963
1167
|
# resp.key_metadata.key_manager #=> String, one of "AWS", "CUSTOMER"
|
1168
|
+
# resp.key_metadata.customer_master_key_spec #=> String, one of "RSA_2048", "RSA_3072", "RSA_4096", "ECC_NIST_P256", "ECC_NIST_P384", "ECC_NIST_P521", "ECC_SECG_P256K1", "SYMMETRIC_DEFAULT"
|
1169
|
+
# resp.key_metadata.encryption_algorithms #=> Array
|
1170
|
+
# resp.key_metadata.encryption_algorithms[0] #=> String, one of "SYMMETRIC_DEFAULT", "RSAES_OAEP_SHA_1", "RSAES_OAEP_SHA_256"
|
1171
|
+
# resp.key_metadata.signing_algorithms #=> Array
|
1172
|
+
# resp.key_metadata.signing_algorithms[0] #=> String, one of "RSASSA_PSS_SHA_256", "RSASSA_PSS_SHA_384", "RSASSA_PSS_SHA_512", "RSASSA_PKCS1_V1_5_SHA_256", "RSASSA_PKCS1_V1_5_SHA_384", "RSASSA_PKCS1_V1_5_SHA_512", "ECDSA_SHA_256", "ECDSA_SHA_384", "ECDSA_SHA_512"
|
964
1173
|
#
|
965
1174
|
# @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/CreateKey AWS API Documentation
|
966
1175
|
#
|
@@ -971,39 +1180,79 @@ module Aws::KMS
|
|
971
1180
|
req.send_request(options)
|
972
1181
|
end
|
973
1182
|
|
974
|
-
# Decrypts ciphertext
|
975
|
-
#
|
1183
|
+
# Decrypts ciphertext that was encrypted by a AWS KMS customer master
|
1184
|
+
# key (CMK) using any of the following operations:
|
1185
|
+
#
|
1186
|
+
# * Encrypt
|
976
1187
|
#
|
977
1188
|
# * GenerateDataKey
|
978
1189
|
#
|
1190
|
+
# * GenerateDataKeyPair
|
1191
|
+
#
|
979
1192
|
# * GenerateDataKeyWithoutPlaintext
|
980
1193
|
#
|
981
|
-
# *
|
1194
|
+
# * GenerateDataKeyPairWithoutPlaintext
|
1195
|
+
#
|
1196
|
+
# You can use this operation to decrypt ciphertext that was encrypted
|
1197
|
+
# under a symmetric or asymmetric CMK. When the CMK is asymmetric, you
|
1198
|
+
# must specify the CMK and the encryption algorithm that was used to
|
1199
|
+
# encrypt the ciphertext. For information about symmetric and asymmetric
|
1200
|
+
# CMKs, see [Using Symmetric and Asymmetric CMKs][1] in the *AWS Key
|
1201
|
+
# Management Service Developer Guide*.
|
1202
|
+
#
|
1203
|
+
# The Decrypt operation also decrypts ciphertext that was encrypted
|
1204
|
+
# outside of AWS KMS by the public key in an AWS KMS asymmetric CMK.
|
1205
|
+
# However, it cannot decrypt ciphertext produced by other libraries,
|
1206
|
+
# such as the [AWS Encryption SDK][2] or [Amazon S3 client-side
|
1207
|
+
# encryption][3]. These libraries return a ciphertext format that is
|
1208
|
+
# incompatible with AWS KMS.
|
1209
|
+
#
|
1210
|
+
# If the ciphertext was encrypted under a symmetric CMK, you do not need
|
1211
|
+
# to specify the CMK or the encryption algorithm. AWS KMS can get this
|
1212
|
+
# information from metadata that it adds to the symmetric ciphertext
|
1213
|
+
# blob. However, if you prefer, you can specify the `KeyId` to ensure
|
1214
|
+
# that a particular CMK is used to decrypt the ciphertext. If you
|
1215
|
+
# specify a different CMK than the one used to encrypt the ciphertext,
|
1216
|
+
# the `Decrypt` operation fails.
|
982
1217
|
#
|
983
1218
|
# Whenever possible, use key policies to give users permission to call
|
984
|
-
# the Decrypt operation on
|
985
|
-
# you might create an IAM user policy that gives
|
986
|
-
# permission on all CMKs. This user could decrypt
|
987
|
-
# encrypted by CMKs in other accounts if the key
|
988
|
-
# cross-account CMK permits it. If you must use an IAM
|
989
|
-
# `Decrypt` permissions, limit the user to particular CMKs or
|
990
|
-
# trusted accounts.
|
991
|
-
#
|
992
|
-
# The result of this operation varies with the key state of the CMK. For
|
993
|
-
# details, see [How Key State Affects Use of a Customer Master Key][1]
|
994
|
-
# in the *AWS Key Management Service Developer Guide*.
|
1219
|
+
# the Decrypt operation on a particular CMK, instead of using IAM
|
1220
|
+
# policies. Otherwise, you might create an IAM user policy that gives
|
1221
|
+
# the user Decrypt permission on all CMKs. This user could decrypt
|
1222
|
+
# ciphertext that was encrypted by CMKs in other accounts if the key
|
1223
|
+
# policy for the cross-account CMK permits it. If you must use an IAM
|
1224
|
+
# policy for `Decrypt` permissions, limit the user to particular CMKs or
|
1225
|
+
# particular trusted accounts.
|
995
1226
|
#
|
1227
|
+
# The CMK that you use for this operation must be in a compatible key
|
1228
|
+
# state. For details, see [How Key State Affects Use of a Customer
|
1229
|
+
# Master Key][4] in the *AWS Key Management Service Developer Guide*.
|
996
1230
|
#
|
997
1231
|
#
|
998
|
-
#
|
1232
|
+
#
|
1233
|
+
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/symmetric-asymmetric.html
|
1234
|
+
# [2]: https://docs.aws.amazon.com/encryption-sdk/latest/developer-guide/
|
1235
|
+
# [3]: https://docs.aws.amazon.com/AmazonS3/latest/dev/UsingClientSideEncryption.html
|
1236
|
+
# [4]: https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html
|
999
1237
|
#
|
1000
1238
|
# @option params [required, String, IO] :ciphertext_blob
|
1001
1239
|
# Ciphertext to be decrypted. The blob includes metadata.
|
1002
1240
|
#
|
1003
1241
|
# @option params [Hash<String,String>] :encryption_context
|
1004
|
-
#
|
1005
|
-
#
|
1006
|
-
#
|
1242
|
+
# Specifies the encryption context to use when decrypting the data. An
|
1243
|
+
# encryption context is valid only for cryptographic operations with a
|
1244
|
+
# symmetric CMK. The standard asymmetric encryption algorithms that AWS
|
1245
|
+
# KMS uses do not support an encryption context.
|
1246
|
+
#
|
1247
|
+
# An *encryption context* is a collection of non-secret key-value pairs
|
1248
|
+
# that represents additional authenticated data. When you use an
|
1249
|
+
# encryption context to encrypt data, you must specify the same (an
|
1250
|
+
# exact case-sensitive match) encryption context to decrypt the data. An
|
1251
|
+
# encryption context is optional when encrypting with a symmetric CMK,
|
1252
|
+
# but it is highly recommended.
|
1253
|
+
#
|
1254
|
+
# For more information, see [Encryption Context][1] in the *AWS Key
|
1255
|
+
# Management Service Developer Guide*.
|
1007
1256
|
#
|
1008
1257
|
#
|
1009
1258
|
#
|
@@ -1019,10 +1268,54 @@ module Aws::KMS
|
|
1019
1268
|
#
|
1020
1269
|
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#grant_token
|
1021
1270
|
#
|
1271
|
+
# @option params [String] :key_id
|
1272
|
+
# Specifies the customer master key (CMK) that AWS KMS will use to
|
1273
|
+
# decrypt the ciphertext. Enter a key ID of the CMK that was used to
|
1274
|
+
# encrypt the ciphertext.
|
1275
|
+
#
|
1276
|
+
# If you specify a `KeyId` value, the `Decrypt` operation succeeds only
|
1277
|
+
# if the specified CMK was used to encrypt the ciphertext.
|
1278
|
+
#
|
1279
|
+
# This parameter is required only when the ciphertext was encrypted
|
1280
|
+
# under an asymmetric CMK. Otherwise, AWS KMS uses the metadata that it
|
1281
|
+
# adds to the ciphertext blob to determine which CMK was used to encrypt
|
1282
|
+
# the ciphertext. However, you can use this parameter to ensure that a
|
1283
|
+
# particular CMK (of any kind) is used to decrypt the ciphertext.
|
1284
|
+
#
|
1285
|
+
# To specify a CMK, use its key ID, Amazon Resource Name (ARN), alias
|
1286
|
+
# name, or alias ARN. When using an alias name, prefix it with
|
1287
|
+
# `"alias/"`.
|
1288
|
+
#
|
1289
|
+
# For example:
|
1290
|
+
#
|
1291
|
+
# * Key ID: `1234abcd-12ab-34cd-56ef-1234567890ab`
|
1292
|
+
#
|
1293
|
+
# * Key ARN:
|
1294
|
+
# `arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab`
|
1295
|
+
#
|
1296
|
+
# * Alias name: `alias/ExampleAlias`
|
1297
|
+
#
|
1298
|
+
# * Alias ARN: `arn:aws:kms:us-east-2:111122223333:alias/ExampleAlias`
|
1299
|
+
#
|
1300
|
+
# To get the key ID and key ARN for a CMK, use ListKeys or DescribeKey.
|
1301
|
+
# To get the alias name and alias ARN, use ListAliases.
|
1302
|
+
#
|
1303
|
+
# @option params [String] :encryption_algorithm
|
1304
|
+
# Specifies the encryption algorithm that will be used to decrypt the
|
1305
|
+
# ciphertext. Specify the same algorithm that was used to encrypt the
|
1306
|
+
# data. If you specify a different algorithm, the `Decrypt` operation
|
1307
|
+
# fails.
|
1308
|
+
#
|
1309
|
+
# This parameter is required only when the ciphertext was encrypted
|
1310
|
+
# under an asymmetric CMK. The default value, `SYMMETRIC_DEFAULT`,
|
1311
|
+
# represents the only supported algorithm that is valid for symmetric
|
1312
|
+
# CMKs.
|
1313
|
+
#
|
1022
1314
|
# @return [Types::DecryptResponse] Returns a {Seahorse::Client::Response response} object which responds to the following methods:
|
1023
1315
|
#
|
1024
1316
|
# * {Types::DecryptResponse#key_id #key_id} => String
|
1025
1317
|
# * {Types::DecryptResponse#plaintext #plaintext} => String
|
1318
|
+
# * {Types::DecryptResponse#encryption_algorithm #encryption_algorithm} => String
|
1026
1319
|
#
|
1027
1320
|
#
|
1028
1321
|
# @example Example: To decrypt data
|
@@ -1047,12 +1340,15 @@ module Aws::KMS
|
|
1047
1340
|
# "EncryptionContextKey" => "EncryptionContextValue",
|
1048
1341
|
# },
|
1049
1342
|
# grant_tokens: ["GrantTokenType"],
|
1343
|
+
# key_id: "KeyIdType",
|
1344
|
+
# encryption_algorithm: "SYMMETRIC_DEFAULT", # accepts SYMMETRIC_DEFAULT, RSAES_OAEP_SHA_1, RSAES_OAEP_SHA_256
|
1050
1345
|
# })
|
1051
1346
|
#
|
1052
1347
|
# @example Response structure
|
1053
1348
|
#
|
1054
1349
|
# resp.key_id #=> String
|
1055
1350
|
# resp.plaintext #=> String
|
1351
|
+
# resp.encryption_algorithm #=> String, one of "SYMMETRIC_DEFAULT", "RSAES_OAEP_SHA_1", "RSAES_OAEP_SHA_256"
|
1056
1352
|
#
|
1057
1353
|
# @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/Decrypt AWS API Documentation
|
1058
1354
|
#
|
@@ -1178,9 +1474,9 @@ module Aws::KMS
|
|
1178
1474
|
# After you delete key material, you can use ImportKeyMaterial to
|
1179
1475
|
# reimport the same key material into the CMK.
|
1180
1476
|
#
|
1181
|
-
# The
|
1182
|
-
# details, see [How Key State Affects Use of a Customer
|
1183
|
-
# in the *AWS Key Management Service Developer Guide*.
|
1477
|
+
# The CMK that you use for this operation must be in a compatible key
|
1478
|
+
# state. For details, see [How Key State Affects Use of a Customer
|
1479
|
+
# Master Key][2] in the *AWS Key Management Service Developer Guide*.
|
1184
1480
|
#
|
1185
1481
|
#
|
1186
1482
|
#
|
@@ -1328,20 +1624,50 @@ module Aws::KMS
|
|
1328
1624
|
req.send_request(options)
|
1329
1625
|
end
|
1330
1626
|
|
1331
|
-
# Provides detailed information about
|
1332
|
-
#
|
1627
|
+
# Provides detailed information about a customer master key (CMK). You
|
1628
|
+
# can run `DescribeKey` on a [customer managed CMK][1] or an [AWS
|
1629
|
+
# managed CMK][2].
|
1630
|
+
#
|
1631
|
+
# This detailed information includes the key ARN, creation date (and
|
1632
|
+
# deletion date, if applicable), the key state, and the origin and
|
1633
|
+
# expiration date (if any) of the key material. For CMKs in custom key
|
1634
|
+
# stores, it includes information about the custom key store, such as
|
1635
|
+
# the key store ID and the AWS CloudHSM cluster ID. It includes fields,
|
1636
|
+
# like `KeySpec`, that help you distinguish symmetric from asymmetric
|
1637
|
+
# CMKs. It also provides information that is particularly important to
|
1638
|
+
# asymmetric CMKs, such as the key usage (encryption or signing) and the
|
1639
|
+
# encryption algorithms or signing algorithms that the CMK supports.
|
1640
|
+
#
|
1641
|
+
# `DescribeKey` does not return the following information:
|
1642
|
+
#
|
1643
|
+
# * Aliases associated with the CMK. To get this information, use
|
1644
|
+
# ListAliases.
|
1645
|
+
#
|
1646
|
+
# * Whether automatic key rotation is enabled on the CMK. To get this
|
1647
|
+
# information, use GetKeyRotationStatus. Also, some key states prevent
|
1648
|
+
# a CMK from being automatically rotated. For details, see [How
|
1649
|
+
# Automatic Key Rotation Works][3] in *AWS Key Management Service
|
1650
|
+
# Developer Guide*.
|
1651
|
+
#
|
1652
|
+
# * Tags on the CMK. To get this information, use ListResourceTags.
|
1333
1653
|
#
|
1334
|
-
#
|
1335
|
-
#
|
1336
|
-
#
|
1337
|
-
#
|
1654
|
+
# * Key policies and grants on the CMK. To get this information, use
|
1655
|
+
# GetKeyPolicy and ListGrants.
|
1656
|
+
#
|
1657
|
+
# If you call the `DescribeKey` operation on a *predefined AWS alias*,
|
1658
|
+
# that is, an AWS alias with no key ID, AWS KMS creates an [AWS managed
|
1659
|
+
# CMK][4]. Then, it associates the alias with the new CMK, and returns
|
1660
|
+
# the `KeyId` and `Arn` of the new CMK in the response.
|
1338
1661
|
#
|
1339
1662
|
# To perform this operation on a CMK in a different AWS account, specify
|
1340
1663
|
# the key ARN or alias ARN in the value of the KeyId parameter.
|
1341
1664
|
#
|
1342
1665
|
#
|
1343
1666
|
#
|
1344
|
-
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#
|
1667
|
+
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#customer-cmk
|
1668
|
+
# [2]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#aws-managed-cmk
|
1669
|
+
# [3]: https://docs.aws.amazon.com/kms/latest/developerguide/rotate-keys.html#rotate-keys-how-it-works
|
1670
|
+
# [4]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#master_keys
|
1345
1671
|
#
|
1346
1672
|
# @option params [required, String] :key_id
|
1347
1673
|
# Describes the specified customer master key (CMK).
|
@@ -1427,7 +1753,7 @@ module Aws::KMS
|
|
1427
1753
|
# resp.key_metadata.creation_date #=> Time
|
1428
1754
|
# resp.key_metadata.enabled #=> Boolean
|
1429
1755
|
# resp.key_metadata.description #=> String
|
1430
|
-
# resp.key_metadata.key_usage #=> String, one of "ENCRYPT_DECRYPT"
|
1756
|
+
# resp.key_metadata.key_usage #=> String, one of "SIGN_VERIFY", "ENCRYPT_DECRYPT"
|
1431
1757
|
# resp.key_metadata.key_state #=> String, one of "Enabled", "Disabled", "PendingDeletion", "PendingImport", "Unavailable"
|
1432
1758
|
# resp.key_metadata.deletion_date #=> Time
|
1433
1759
|
# resp.key_metadata.valid_to #=> Time
|
@@ -1436,6 +1762,11 @@ module Aws::KMS
|
|
1436
1762
|
# resp.key_metadata.cloud_hsm_cluster_id #=> String
|
1437
1763
|
# resp.key_metadata.expiration_model #=> String, one of "KEY_MATERIAL_EXPIRES", "KEY_MATERIAL_DOES_NOT_EXPIRE"
|
1438
1764
|
# resp.key_metadata.key_manager #=> String, one of "AWS", "CUSTOMER"
|
1765
|
+
# resp.key_metadata.customer_master_key_spec #=> String, one of "RSA_2048", "RSA_3072", "RSA_4096", "ECC_NIST_P256", "ECC_NIST_P384", "ECC_NIST_P521", "ECC_SECG_P256K1", "SYMMETRIC_DEFAULT"
|
1766
|
+
# resp.key_metadata.encryption_algorithms #=> Array
|
1767
|
+
# resp.key_metadata.encryption_algorithms[0] #=> String, one of "SYMMETRIC_DEFAULT", "RSAES_OAEP_SHA_1", "RSAES_OAEP_SHA_256"
|
1768
|
+
# resp.key_metadata.signing_algorithms #=> Array
|
1769
|
+
# resp.key_metadata.signing_algorithms[0] #=> String, one of "RSASSA_PSS_SHA_256", "RSASSA_PSS_SHA_384", "RSASSA_PSS_SHA_512", "RSASSA_PKCS1_V1_5_SHA_256", "RSASSA_PKCS1_V1_5_SHA_384", "RSASSA_PKCS1_V1_5_SHA_512", "ECDSA_SHA_256", "ECDSA_SHA_384", "ECDSA_SHA_512"
|
1439
1770
|
#
|
1440
1771
|
# @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/DescribeKey AWS API Documentation
|
1441
1772
|
#
|
@@ -1454,9 +1785,9 @@ module Aws::KMS
|
|
1454
1785
|
# [How Key State Affects the Use of a Customer Master Key][1] in the <i>
|
1455
1786
|
# <i>AWS Key Management Service Developer Guide</i> </i>.
|
1456
1787
|
#
|
1457
|
-
# The
|
1458
|
-
# details, see [How Key State Affects Use of a Customer
|
1459
|
-
# in the *AWS Key Management Service Developer Guide*.
|
1788
|
+
# The CMK that you use for this operation must be in a compatible key
|
1789
|
+
# state. For details, see [How Key State Affects Use of a Customer
|
1790
|
+
# Master Key][1] in the *AWS Key Management Service Developer Guide*.
|
1460
1791
|
#
|
1461
1792
|
#
|
1462
1793
|
#
|
@@ -1503,20 +1834,26 @@ module Aws::KMS
|
|
1503
1834
|
end
|
1504
1835
|
|
1505
1836
|
# Disables [automatic rotation of the key material][1] for the specified
|
1506
|
-
# customer master key (CMK).
|
1507
|
-
# in a different AWS account.
|
1837
|
+
# symmetric customer master key (CMK).
|
1508
1838
|
#
|
1509
|
-
#
|
1510
|
-
#
|
1511
|
-
#
|
1839
|
+
# You cannot enable automatic rotation of asymmetric CMKs, CMKs with
|
1840
|
+
# imported key material, or CMKs in a [custom key store][2]. You cannot
|
1841
|
+
# perform this operation on a CMK in a different AWS account.
|
1842
|
+
#
|
1843
|
+
# The CMK that you use for this operation must be in a compatible key
|
1844
|
+
# state. For details, see [How Key State Affects Use of a Customer
|
1845
|
+
# Master Key][3] in the *AWS Key Management Service Developer Guide*.
|
1512
1846
|
#
|
1513
1847
|
#
|
1514
1848
|
#
|
1515
1849
|
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/rotate-keys.html
|
1516
|
-
# [2]: https://docs.aws.amazon.com/kms/latest/developerguide/key-
|
1850
|
+
# [2]: https://docs.aws.amazon.com/kms/latest/developerguide/custom-key-store-overview.html
|
1851
|
+
# [3]: https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html
|
1517
1852
|
#
|
1518
1853
|
# @option params [required, String] :key_id
|
1519
|
-
#
|
1854
|
+
# Identifies a symmetric customer master key (CMK). You cannot enable
|
1855
|
+
# automatic rotation of [asymmetric CMKs][1], CMKs with [imported key
|
1856
|
+
# material][2], or CMKs in a [custom key store][3].
|
1520
1857
|
#
|
1521
1858
|
# Specify the key ID or the Amazon Resource Name (ARN) of the CMK.
|
1522
1859
|
#
|
@@ -1529,6 +1866,12 @@ module Aws::KMS
|
|
1529
1866
|
#
|
1530
1867
|
# To get the key ID and key ARN for a CMK, use ListKeys or DescribeKey.
|
1531
1868
|
#
|
1869
|
+
#
|
1870
|
+
#
|
1871
|
+
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/symmetric-asymmetric.html#asymmetric-cmks
|
1872
|
+
# [2]: https://docs.aws.amazon.com/kms/latest/developerguide/importing-keys.html
|
1873
|
+
# [3]: https://docs.aws.amazon.com/kms/latest/developerguide/custom-key-store-overview.html
|
1874
|
+
#
|
1532
1875
|
# @return [Struct] Returns an empty {Seahorse::Client::Response response}.
|
1533
1876
|
#
|
1534
1877
|
#
|
@@ -1611,9 +1954,9 @@ module Aws::KMS
|
|
1611
1954
|
# allows you to use the CMK for cryptographic operations. You cannot
|
1612
1955
|
# perform this operation on a CMK in a different AWS account.
|
1613
1956
|
#
|
1614
|
-
# The
|
1615
|
-
# details, see [How Key State Affects Use of a Customer
|
1616
|
-
# in the *AWS Key Management Service Developer Guide*.
|
1957
|
+
# The CMK that you use for this operation must be in a compatible key
|
1958
|
+
# state. For details, see [How Key State Affects Use of a Customer
|
1959
|
+
# Master Key][1] in the *AWS Key Management Service Developer Guide*.
|
1617
1960
|
#
|
1618
1961
|
#
|
1619
1962
|
#
|
@@ -1660,15 +2003,15 @@ module Aws::KMS
|
|
1660
2003
|
end
|
1661
2004
|
|
1662
2005
|
# Enables [automatic rotation of the key material][1] for the specified
|
1663
|
-
# customer master key (CMK). You cannot perform this operation
|
1664
|
-
# in a different AWS account.
|
2006
|
+
# symmetric customer master key (CMK). You cannot perform this operation
|
2007
|
+
# on a CMK in a different AWS account.
|
1665
2008
|
#
|
1666
|
-
# You cannot enable automatic rotation of CMKs with
|
1667
|
-
# material or CMKs in a [custom key store][2].
|
2009
|
+
# You cannot enable automatic rotation of asymmetric CMKs, CMKs with
|
2010
|
+
# imported key material, or CMKs in a [custom key store][2].
|
1668
2011
|
#
|
1669
|
-
# The
|
1670
|
-
# details, see [How Key State Affects Use of a Customer
|
1671
|
-
# in the *AWS Key Management Service Developer Guide*.
|
2012
|
+
# The CMK that you use for this operation must be in a compatible key
|
2013
|
+
# state. For details, see [How Key State Affects Use of a Customer
|
2014
|
+
# Master Key][3] in the *AWS Key Management Service Developer Guide*.
|
1672
2015
|
#
|
1673
2016
|
#
|
1674
2017
|
#
|
@@ -1677,7 +2020,9 @@ module Aws::KMS
|
|
1677
2020
|
# [3]: https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html
|
1678
2021
|
#
|
1679
2022
|
# @option params [required, String] :key_id
|
1680
|
-
#
|
2023
|
+
# Identifies a symmetric customer master key (CMK). You cannot enable
|
2024
|
+
# automatic rotation of asymmetric CMKs, CMKs with imported key
|
2025
|
+
# material, or CMKs in a [custom key store][1].
|
1681
2026
|
#
|
1682
2027
|
# Specify the key ID or the Amazon Resource Name (ARN) of the CMK.
|
1683
2028
|
#
|
@@ -1690,6 +2035,10 @@ module Aws::KMS
|
|
1690
2035
|
#
|
1691
2036
|
# To get the key ID and key ARN for a CMK, use ListKeys or DescribeKey.
|
1692
2037
|
#
|
2038
|
+
#
|
2039
|
+
#
|
2040
|
+
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/custom-key-store-overview.html
|
2041
|
+
#
|
1693
2042
|
# @return [Struct] Returns an empty {Seahorse::Client::Response response}.
|
1694
2043
|
#
|
1695
2044
|
#
|
@@ -1719,9 +2068,8 @@ module Aws::KMS
|
|
1719
2068
|
# Encrypts plaintext into ciphertext by using a customer master key
|
1720
2069
|
# (CMK). The `Encrypt` operation has two primary use cases:
|
1721
2070
|
#
|
1722
|
-
# * You can encrypt
|
1723
|
-
#
|
1724
|
-
# information.
|
2071
|
+
# * You can encrypt small amounts of arbitrary data, such as a personal
|
2072
|
+
# identifier or database password, or other sensitive information.
|
1725
2073
|
#
|
1726
2074
|
# * You can use the `Encrypt` operation to move encrypted data from one
|
1727
2075
|
# AWS region to another. In the first region, generate a data key and
|
@@ -1730,24 +2078,76 @@ module Aws::KMS
|
|
1730
2078
|
# safely move the encrypted data and encrypted data key to the new
|
1731
2079
|
# region, and decrypt in the new region when necessary.
|
1732
2080
|
#
|
1733
|
-
# You don't need use
|
1734
|
-
#
|
1735
|
-
#
|
2081
|
+
# You don't need to use the `Encrypt` operation to encrypt a data key.
|
2082
|
+
# The GenerateDataKey and GenerateDataKeyPair operations return a
|
2083
|
+
# plaintext data key and an encrypted copy of that data key.
|
1736
2084
|
#
|
1737
|
-
#
|
1738
|
-
#
|
1739
|
-
# the `
|
2085
|
+
# When you encrypt data, you must specify a symmetric or asymmetric CMK
|
2086
|
+
# to use in the encryption operation. The CMK must have a `KeyUsage`
|
2087
|
+
# value of `ENCRYPT_DECRYPT.` To find the `KeyUsage` of a CMK, use the
|
2088
|
+
# DescribeKey operation.
|
1740
2089
|
#
|
1741
|
-
#
|
1742
|
-
#
|
1743
|
-
#
|
2090
|
+
# If you use a symmetric CMK, you can use an encryption context to add
|
2091
|
+
# additional security to your encryption operation. If you specify an
|
2092
|
+
# `EncryptionContext` when encrypting data, you must specify the same
|
2093
|
+
# encryption context (a case-sensitive exact match) when decrypting the
|
2094
|
+
# data. Otherwise, the request to decrypt fails with an
|
2095
|
+
# `InvalidCiphertextException`. For more information, see [Encryption
|
2096
|
+
# Context][1] in the *AWS Key Management Service Developer Guide*.
|
2097
|
+
#
|
2098
|
+
# If you specify an asymmetric CMK, you must also specify the encryption
|
2099
|
+
# algorithm. The algorithm must be compatible with the CMK type.
|
2100
|
+
#
|
2101
|
+
# When you use an asymmetric CMK to encrypt or reencrypt data, be sure
|
2102
|
+
# to record the CMK and encryption algorithm that you choose. You will
|
2103
|
+
# be required to provide the same CMK and encryption algorithm when you
|
2104
|
+
# decrypt the data. If the CMK and algorithm do not match the values
|
2105
|
+
# used to encrypt the data, the decrypt operation fails.
|
2106
|
+
#
|
2107
|
+
# You are not required to supply the CMK ID and encryption algorithm
|
2108
|
+
# when you decrypt with symmetric CMKs because AWS KMS stores this
|
2109
|
+
# information in the ciphertext blob. AWS KMS cannot store metadata in
|
2110
|
+
# ciphertext generated with asymmetric keys. The standard format for
|
2111
|
+
# asymmetric key ciphertext does not include configurable fields.
|
2112
|
+
#
|
2113
|
+
# The maximum size of the data that you can encrypt varies with the type
|
2114
|
+
# of CMK and the encryption algorithm that you choose.
|
2115
|
+
#
|
2116
|
+
# * Symmetric CMKs
|
2117
|
+
#
|
2118
|
+
# * `SYMMETRIC_DEFAULT`\: 4096 bytes
|
2119
|
+
#
|
2120
|
+
# ^
|
2121
|
+
#
|
2122
|
+
# * `RSA_2048`
|
2123
|
+
#
|
2124
|
+
# * `RSAES_OAEP_SHA_1`\: 214 bytes
|
2125
|
+
#
|
2126
|
+
# * `RSAES_OAEP_SHA_256`\: 190 bytes
|
2127
|
+
#
|
2128
|
+
# * `RSA_3072`
|
2129
|
+
#
|
2130
|
+
# * `RSAES_OAEP_SHA_1`\: 342 bytes
|
2131
|
+
#
|
2132
|
+
# * `RSAES_OAEP_SHA_256`\: 318 bytes
|
2133
|
+
#
|
2134
|
+
# * `RSA_4096`
|
2135
|
+
#
|
2136
|
+
# * `RSAES_OAEP_SHA_1`\: 470 bytes
|
2137
|
+
#
|
2138
|
+
# * `RSAES_OAEP_SHA_256`\: 446 bytes
|
2139
|
+
#
|
2140
|
+
# The CMK that you use for this operation must be in a compatible key
|
2141
|
+
# state. For details, see [How Key State Affects Use of a Customer
|
2142
|
+
# Master Key][2] in the *AWS Key Management Service Developer Guide*.
|
1744
2143
|
#
|
1745
2144
|
# To perform this operation on a CMK in a different AWS account, specify
|
1746
2145
|
# the key ARN or alias ARN in the value of the KeyId parameter.
|
1747
2146
|
#
|
1748
2147
|
#
|
1749
2148
|
#
|
1750
|
-
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/
|
2149
|
+
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#encrypt_context
|
2150
|
+
# [2]: https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html
|
1751
2151
|
#
|
1752
2152
|
# @option params [required, String] :key_id
|
1753
2153
|
# A unique identifier for the customer master key (CMK).
|
@@ -1775,10 +2175,20 @@ module Aws::KMS
|
|
1775
2175
|
# Data to be encrypted.
|
1776
2176
|
#
|
1777
2177
|
# @option params [Hash<String,String>] :encryption_context
|
1778
|
-
#
|
1779
|
-
#
|
1780
|
-
#
|
1781
|
-
#
|
2178
|
+
# Specifies the encryption context that will be used to encrypt the
|
2179
|
+
# data. An encryption context is valid only for cryptographic operations
|
2180
|
+
# with a symmetric CMK. The standard asymmetric encryption algorithms
|
2181
|
+
# that AWS KMS uses do not support an encryption context.
|
2182
|
+
#
|
2183
|
+
# An *encryption context* is a collection of non-secret key-value pairs
|
2184
|
+
# that represents additional authenticated data. When you use an
|
2185
|
+
# encryption context to encrypt data, you must specify the same (an
|
2186
|
+
# exact case-sensitive match) encryption context to decrypt the data. An
|
2187
|
+
# encryption context is optional when encrypting with a symmetric CMK,
|
2188
|
+
# but it is highly recommended.
|
2189
|
+
#
|
2190
|
+
# For more information, see [Encryption Context][1] in the *AWS Key
|
2191
|
+
# Management Service Developer Guide*.
|
1782
2192
|
#
|
1783
2193
|
#
|
1784
2194
|
#
|
@@ -1794,10 +2204,21 @@ module Aws::KMS
|
|
1794
2204
|
#
|
1795
2205
|
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#grant_token
|
1796
2206
|
#
|
2207
|
+
# @option params [String] :encryption_algorithm
|
2208
|
+
# Specifies the encryption algorithm that AWS KMS will use to encrypt
|
2209
|
+
# the plaintext message. The algorithm must be compatible with the CMK
|
2210
|
+
# that you specify.
|
2211
|
+
#
|
2212
|
+
# This parameter is required only for asymmetric CMKs. The default
|
2213
|
+
# value, `SYMMETRIC_DEFAULT`, is the algorithm used for symmetric CMKs.
|
2214
|
+
# If you are using an asymmetric CMK, we recommend
|
2215
|
+
# RSAES\_OAEP\_SHA\_256.
|
2216
|
+
#
|
1797
2217
|
# @return [Types::EncryptResponse] Returns a {Seahorse::Client::Response response} object which responds to the following methods:
|
1798
2218
|
#
|
1799
2219
|
# * {Types::EncryptResponse#ciphertext_blob #ciphertext_blob} => String
|
1800
2220
|
# * {Types::EncryptResponse#key_id #key_id} => String
|
2221
|
+
# * {Types::EncryptResponse#encryption_algorithm #encryption_algorithm} => String
|
1801
2222
|
#
|
1802
2223
|
#
|
1803
2224
|
# @example Example: To encrypt data
|
@@ -1824,12 +2245,14 @@ module Aws::KMS
|
|
1824
2245
|
# "EncryptionContextKey" => "EncryptionContextValue",
|
1825
2246
|
# },
|
1826
2247
|
# grant_tokens: ["GrantTokenType"],
|
2248
|
+
# encryption_algorithm: "SYMMETRIC_DEFAULT", # accepts SYMMETRIC_DEFAULT, RSAES_OAEP_SHA_1, RSAES_OAEP_SHA_256
|
1827
2249
|
# })
|
1828
2250
|
#
|
1829
2251
|
# @example Response structure
|
1830
2252
|
#
|
1831
2253
|
# resp.ciphertext_blob #=> String
|
1832
2254
|
# resp.key_id #=> String
|
2255
|
+
# resp.encryption_algorithm #=> String, one of "SYMMETRIC_DEFAULT", "RSAES_OAEP_SHA_1", "RSAES_OAEP_SHA_256"
|
1833
2256
|
#
|
1834
2257
|
# @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/Encrypt AWS API Documentation
|
1835
2258
|
#
|
@@ -1840,27 +2263,45 @@ module Aws::KMS
|
|
1840
2263
|
req.send_request(options)
|
1841
2264
|
end
|
1842
2265
|
|
1843
|
-
# Generates a unique data key. This operation returns a
|
1844
|
-
# of the data key and a copy that is encrypted under a
|
1845
|
-
# key (CMK) that you specify. You can use the plaintext
|
1846
|
-
# your data outside of KMS and store the encrypted
|
1847
|
-
# encrypted data.
|
2266
|
+
# Generates a unique symmetric data key. This operation returns a
|
2267
|
+
# plaintext copy of the data key and a copy that is encrypted under a
|
2268
|
+
# customer master key (CMK) that you specify. You can use the plaintext
|
2269
|
+
# key to encrypt your data outside of AWS KMS and store the encrypted
|
2270
|
+
# data key with the encrypted data.
|
1848
2271
|
#
|
1849
2272
|
# `GenerateDataKey` returns a unique data key for each request. The
|
1850
2273
|
# bytes in the key are not related to the caller or CMK that is used to
|
1851
2274
|
# encrypt the data key.
|
1852
2275
|
#
|
1853
|
-
# To generate a data key,
|
1854
|
-
#
|
1855
|
-
#
|
1856
|
-
#
|
1857
|
-
#
|
1858
|
-
#
|
1859
|
-
#
|
2276
|
+
# To generate a data key, specify the symmetric CMK that will be used to
|
2277
|
+
# encrypt the data key. You cannot use an asymmetric CMK to generate
|
2278
|
+
# data keys.
|
2279
|
+
#
|
2280
|
+
# You must also specify the length of the data key. Use either the
|
2281
|
+
# `KeySpec` or `NumberOfBytes` parameters (but not both). For 128-bit
|
2282
|
+
# and 256-bit data keys, use the `KeySpec` parameter.
|
2283
|
+
#
|
2284
|
+
# If the operation succeeds, the plaintext copy of the data key is in
|
2285
|
+
# the `Plaintext` field of the response, and the encrypted copy of the
|
2286
|
+
# data key in the `CiphertextBlob` field.
|
2287
|
+
#
|
2288
|
+
# To get only an encrypted copy of the data key, use
|
2289
|
+
# GenerateDataKeyWithoutPlaintext. To generate an asymmetric data key
|
2290
|
+
# pair, use the GenerateDataKeyPair or
|
2291
|
+
# GenerateDataKeyPairWithoutPlaintext operation. To get a
|
2292
|
+
# cryptographically secure random byte string, use GenerateRandom.
|
2293
|
+
#
|
2294
|
+
# You can use the optional encryption context to add additional security
|
2295
|
+
# to the encryption operation. If you specify an `EncryptionContext`,
|
2296
|
+
# you must specify the same encryption context (a case-sensitive exact
|
2297
|
+
# match) when decrypting the encrypted data key. Otherwise, the request
|
2298
|
+
# to decrypt fails with an InvalidCiphertextException. For more
|
2299
|
+
# information, see [Encryption Context][1] in the *AWS Key Management
|
2300
|
+
# Service Developer Guide*.
|
1860
2301
|
#
|
1861
|
-
#
|
1862
|
-
#
|
1863
|
-
#
|
2302
|
+
# The CMK that you use for this operation must be in a compatible key
|
2303
|
+
# state. For details, see [How Key State Affects Use of a Customer
|
2304
|
+
# Master Key][2] in the *AWS Key Management Service Developer Guide*.
|
1864
2305
|
#
|
1865
2306
|
# We recommend that you use the following pattern to encrypt data
|
1866
2307
|
# locally in your application:
|
@@ -1882,30 +2323,13 @@ module Aws::KMS
|
|
1882
2323
|
# 2. Use the plaintext data key to decrypt data locally, then erase the
|
1883
2324
|
# plaintext data key from memory.
|
1884
2325
|
#
|
1885
|
-
# To get only an encrypted copy of the data key, use
|
1886
|
-
# GenerateDataKeyWithoutPlaintext. To get a cryptographically secure
|
1887
|
-
# random byte string, use GenerateRandom.
|
1888
|
-
#
|
1889
|
-
# You can use the optional encryption context to add additional security
|
1890
|
-
# to your encryption operation. When you specify an `EncryptionContext`
|
1891
|
-
# in the `GenerateDataKey` operation, you must specify the same
|
1892
|
-
# encryption context (a case-sensitive exact match) in your request to
|
1893
|
-
# Decrypt the data key. Otherwise, the request to decrypt fails with an
|
1894
|
-
# `InvalidCiphertextException`. For more information, see [Encryption
|
1895
|
-
# Context][1] in the <i> <i>AWS Key Management Service Developer
|
1896
|
-
# Guide</i> </i>.
|
1897
|
-
#
|
1898
|
-
# The result of this operation varies with the key state of the CMK. For
|
1899
|
-
# details, see [How Key State Affects Use of a Customer Master Key][2]
|
1900
|
-
# in the *AWS Key Management Service Developer Guide*.
|
1901
|
-
#
|
1902
2326
|
#
|
1903
2327
|
#
|
1904
2328
|
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#encrypt_context
|
1905
2329
|
# [2]: https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html
|
1906
2330
|
#
|
1907
2331
|
# @option params [required, String] :key_id
|
1908
|
-
#
|
2332
|
+
# Identifies the symmetric CMK that encrypts the data key.
|
1909
2333
|
#
|
1910
2334
|
# To specify a CMK, use its key ID, Amazon Resource Name (ARN), alias
|
1911
2335
|
# name, or alias ARN. When using an alias name, prefix it with
|
@@ -1927,8 +2351,15 @@ module Aws::KMS
|
|
1927
2351
|
# To get the alias name and alias ARN, use ListAliases.
|
1928
2352
|
#
|
1929
2353
|
# @option params [Hash<String,String>] :encryption_context
|
1930
|
-
#
|
1931
|
-
# data.
|
2354
|
+
# Specifies the encryption context that will be used when encrypting the
|
2355
|
+
# data key.
|
2356
|
+
#
|
2357
|
+
# An *encryption context* is a collection of non-secret key-value pairs
|
2358
|
+
# that represents additional authenticated data. When you use an
|
2359
|
+
# encryption context to encrypt data, you must specify the same (an
|
2360
|
+
# exact case-sensitive match) encryption context to decrypt the data. An
|
2361
|
+
# encryption context is optional when encrypting with a symmetric CMK,
|
2362
|
+
# but it is highly recommended.
|
1932
2363
|
#
|
1933
2364
|
# For more information, see [Encryption Context][1] in the *AWS Key
|
1934
2365
|
# Management Service Developer Guide*.
|
@@ -1938,14 +2369,21 @@ module Aws::KMS
|
|
1938
2369
|
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#encrypt_context
|
1939
2370
|
#
|
1940
2371
|
# @option params [Integer] :number_of_bytes
|
1941
|
-
#
|
1942
|
-
# generate a 512-bit data key (64 bytes is 512 bits). For
|
1943
|
-
#
|
1944
|
-
#
|
2372
|
+
# Specifies the length of the data key in bytes. For example, use the
|
2373
|
+
# value 64 to generate a 512-bit data key (64 bytes is 512 bits). For
|
2374
|
+
# 128-bit (16-byte) and 256-bit (32-byte) data keys, use the `KeySpec`
|
2375
|
+
# parameter.
|
2376
|
+
#
|
2377
|
+
# You must specify either the `KeySpec` or the `NumberOfBytes` parameter
|
2378
|
+
# (but not both) in every `GenerateDataKey` request.
|
1945
2379
|
#
|
1946
2380
|
# @option params [String] :key_spec
|
1947
|
-
#
|
1948
|
-
# symmetric key, or `AES_256` to generate a 256-bit symmetric
|
2381
|
+
# Specifies the length of the data key. Use `AES_128` to generate a
|
2382
|
+
# 128-bit symmetric key, or `AES_256` to generate a 256-bit symmetric
|
2383
|
+
# key.
|
2384
|
+
#
|
2385
|
+
# You must specify either the `KeySpec` or the `NumberOfBytes` parameter
|
2386
|
+
# (but not both) in every `GenerateDataKey` request.
|
1949
2387
|
#
|
1950
2388
|
# @option params [Array<String>] :grant_tokens
|
1951
2389
|
# A list of grant tokens.
|
@@ -2008,40 +2446,74 @@ module Aws::KMS
|
|
2008
2446
|
req.send_request(options)
|
2009
2447
|
end
|
2010
2448
|
|
2011
|
-
# Generates a unique data key.
|
2012
|
-
#
|
2013
|
-
#
|
2014
|
-
#
|
2449
|
+
# Generates a unique asymmetric data key pair. The `GenerateDataKeyPair`
|
2450
|
+
# operation returns a plaintext public key, a plaintext private key, and
|
2451
|
+
# a copy of the private key that is encrypted under the symmetric CMK
|
2452
|
+
# you specify. You can use the data key pair to perform asymmetric
|
2453
|
+
# cryptography outside of AWS KMS.
|
2454
|
+
#
|
2455
|
+
# `GenerateDataKeyPair` returns a unique data key pair for each request.
|
2456
|
+
# The bytes in the keys are not related to the caller or the CMK that is
|
2457
|
+
# used to encrypt the private key.
|
2458
|
+
#
|
2459
|
+
# You can use the public key that `GenerateDataKeyPair` returns to
|
2460
|
+
# encrypt data or verify a signature outside of AWS KMS. Then, store the
|
2461
|
+
# encrypted private key with the data. When you are ready to decrypt
|
2462
|
+
# data or sign a message, you can use the Decrypt operation to decrypt
|
2463
|
+
# the encrypted private key.
|
2464
|
+
#
|
2465
|
+
# To generate a data key pair, you must specify a symmetric customer
|
2466
|
+
# master key (CMK) to encrypt the private key in a data key pair. You
|
2467
|
+
# cannot use an asymmetric CMK. To get the type of your CMK, use the
|
2468
|
+
# DescribeKey operation.
|
2469
|
+
#
|
2470
|
+
# If you are using the data key pair to encrypt data, or for any
|
2471
|
+
# operation where you don't immediately need a private key, consider
|
2472
|
+
# using the GenerateDataKeyPairWithoutPlaintext operation.
|
2473
|
+
# `GenerateDataKeyPairWithoutPlaintext` returns a plaintext public key
|
2474
|
+
# and an encrypted private key, but omits the plaintext private key that
|
2475
|
+
# you need only to decrypt ciphertext or sign a message. Later, when you
|
2476
|
+
# need to decrypt the data or sign a message, use the Decrypt operation
|
2477
|
+
# to decrypt the encrypted private key in the data key pair.
|
2015
2478
|
#
|
2016
|
-
#
|
2017
|
-
#
|
2018
|
-
#
|
2479
|
+
# You can use the optional encryption context to add additional security
|
2480
|
+
# to the encryption operation. If you specify an `EncryptionContext`,
|
2481
|
+
# you must specify the same encryption context (a case-sensitive exact
|
2482
|
+
# match) when decrypting the encrypted data key. Otherwise, the request
|
2483
|
+
# to decrypt fails with an InvalidCiphertextException. For more
|
2484
|
+
# information, see [Encryption Context][1] in the *AWS Key Management
|
2485
|
+
# Service Developer Guide*.
|
2019
2486
|
#
|
2020
|
-
#
|
2021
|
-
#
|
2022
|
-
#
|
2487
|
+
# The CMK that you use for this operation must be in a compatible key
|
2488
|
+
# state. For details, see [How Key State Affects Use of a Customer
|
2489
|
+
# Master Key][2] in the *AWS Key Management Service Developer Guide*.
|
2023
2490
|
#
|
2024
|
-
# It's also useful in distributed systems with different levels of
|
2025
|
-
# trust. For example, you might store encrypted data in containers. One
|
2026
|
-
# component of your system creates new containers and stores an
|
2027
|
-
# encrypted data key with each container. Then, a different component
|
2028
|
-
# puts the data into the containers. That component first decrypts the
|
2029
|
-
# data key, uses the plaintext data key to encrypt data, puts the
|
2030
|
-
# encrypted data into the container, and then destroys the plaintext
|
2031
|
-
# data key. In this system, the component that creates the containers
|
2032
|
-
# never sees the plaintext data key.
|
2033
2491
|
#
|
2034
|
-
# The result of this operation varies with the key state of the CMK. For
|
2035
|
-
# details, see [How Key State Affects Use of a Customer Master Key][1]
|
2036
|
-
# in the *AWS Key Management Service Developer Guide*.
|
2037
2492
|
#
|
2493
|
+
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#encrypt_context
|
2494
|
+
# [2]: https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html
|
2495
|
+
#
|
2496
|
+
# @option params [Hash<String,String>] :encryption_context
|
2497
|
+
# Specifies the encryption context that will be used when encrypting the
|
2498
|
+
# private key in the data key pair.
|
2499
|
+
#
|
2500
|
+
# An *encryption context* is a collection of non-secret key-value pairs
|
2501
|
+
# that represents additional authenticated data. When you use an
|
2502
|
+
# encryption context to encrypt data, you must specify the same (an
|
2503
|
+
# exact case-sensitive match) encryption context to decrypt the data. An
|
2504
|
+
# encryption context is optional when encrypting with a symmetric CMK,
|
2505
|
+
# but it is highly recommended.
|
2506
|
+
#
|
2507
|
+
# For more information, see [Encryption Context][1] in the *AWS Key
|
2508
|
+
# Management Service Developer Guide*.
|
2038
2509
|
#
|
2039
2510
|
#
|
2040
|
-
#
|
2511
|
+
#
|
2512
|
+
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#encrypt_context
|
2041
2513
|
#
|
2042
2514
|
# @option params [required, String] :key_id
|
2043
|
-
#
|
2044
|
-
# key.
|
2515
|
+
# Specifies the symmetric CMK that encrypts the private key in the data
|
2516
|
+
# key pair. You cannot specify an asymmetric CMKs.
|
2045
2517
|
#
|
2046
2518
|
# To specify a CMK, use its key ID, Amazon Resource Name (ARN), alias
|
2047
2519
|
# name, or alias ARN. When using an alias name, prefix it with
|
@@ -2062,26 +2534,13 @@ module Aws::KMS
|
|
2062
2534
|
# To get the key ID and key ARN for a CMK, use ListKeys or DescribeKey.
|
2063
2535
|
# To get the alias name and alias ARN, use ListAliases.
|
2064
2536
|
#
|
2065
|
-
# @option params [
|
2066
|
-
#
|
2067
|
-
# data.
|
2068
|
-
#
|
2069
|
-
# For more information, see [Encryption Context][1] in the *AWS Key
|
2070
|
-
# Management Service Developer Guide*.
|
2071
|
-
#
|
2072
|
-
#
|
2073
|
-
#
|
2074
|
-
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#encrypt_context
|
2075
|
-
#
|
2076
|
-
# @option params [String] :key_spec
|
2077
|
-
# The length of the data key. Use `AES_128` to generate a 128-bit
|
2078
|
-
# symmetric key, or `AES_256` to generate a 256-bit symmetric key.
|
2537
|
+
# @option params [required, String] :key_pair_spec
|
2538
|
+
# Determines the type of data key pair that is generated.
|
2079
2539
|
#
|
2080
|
-
#
|
2081
|
-
#
|
2082
|
-
#
|
2083
|
-
#
|
2084
|
-
# use the `KeySpec` field instead of this one.
|
2540
|
+
# The AWS KMS rule that restricts the use of asymmetric RSA CMKs to
|
2541
|
+
# encrypt and decrypt or to sign and verify (but not both), and the rule
|
2542
|
+
# that permits you to use ECC CMKs only to sign and verify, are not
|
2543
|
+
# effective outside of AWS KMS.
|
2085
2544
|
#
|
2086
2545
|
# @option params [Array<String>] :grant_tokens
|
2087
2546
|
# A list of grant tokens.
|
@@ -2093,36 +2552,317 @@ module Aws::KMS
|
|
2093
2552
|
#
|
2094
2553
|
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#grant_token
|
2095
2554
|
#
|
2096
|
-
# @return [Types::
|
2097
|
-
#
|
2098
|
-
# * {Types::GenerateDataKeyWithoutPlaintextResponse#ciphertext_blob #ciphertext_blob} => String
|
2099
|
-
# * {Types::GenerateDataKeyWithoutPlaintextResponse#key_id #key_id} => String
|
2100
|
-
#
|
2101
|
-
#
|
2102
|
-
# @example Example: To generate an encrypted data key
|
2103
|
-
#
|
2104
|
-
# # The following example generates an encrypted copy of a 256-bit symmetric data encryption key (data key). The data key is
|
2105
|
-
# # encrypted with the specified customer master key (CMK).
|
2106
|
-
#
|
2107
|
-
# resp = client.generate_data_key_without_plaintext({
|
2108
|
-
# key_id: "alias/ExampleAlias", # The identifier of the CMK to use to encrypt the data key. You can use the key ID or Amazon Resource Name (ARN) of the CMK, or the name or ARN of an alias that refers to the CMK.
|
2109
|
-
# key_spec: "AES_256", # Specifies the type of data key to return.
|
2110
|
-
# })
|
2555
|
+
# @return [Types::GenerateDataKeyPairResponse] Returns a {Seahorse::Client::Response response} object which responds to the following methods:
|
2111
2556
|
#
|
2112
|
-
#
|
2113
|
-
# {
|
2114
|
-
#
|
2115
|
-
#
|
2116
|
-
# }
|
2557
|
+
# * {Types::GenerateDataKeyPairResponse#private_key_ciphertext_blob #private_key_ciphertext_blob} => String
|
2558
|
+
# * {Types::GenerateDataKeyPairResponse#private_key_plaintext #private_key_plaintext} => String
|
2559
|
+
# * {Types::GenerateDataKeyPairResponse#public_key #public_key} => String
|
2560
|
+
# * {Types::GenerateDataKeyPairResponse#key_id #key_id} => String
|
2561
|
+
# * {Types::GenerateDataKeyPairResponse#key_pair_spec #key_pair_spec} => String
|
2117
2562
|
#
|
2118
2563
|
# @example Request syntax with placeholder values
|
2119
2564
|
#
|
2120
|
-
# resp = client.
|
2121
|
-
# key_id: "KeyIdType", # required
|
2565
|
+
# resp = client.generate_data_key_pair({
|
2122
2566
|
# encryption_context: {
|
2123
2567
|
# "EncryptionContextKey" => "EncryptionContextValue",
|
2124
2568
|
# },
|
2125
|
-
#
|
2569
|
+
# key_id: "KeyIdType", # required
|
2570
|
+
# key_pair_spec: "RSA_2048", # required, accepts RSA_2048, RSA_3072, RSA_4096, ECC_NIST_P256, ECC_NIST_P384, ECC_NIST_P521, ECC_SECG_P256K1
|
2571
|
+
# grant_tokens: ["GrantTokenType"],
|
2572
|
+
# })
|
2573
|
+
#
|
2574
|
+
# @example Response structure
|
2575
|
+
#
|
2576
|
+
# resp.private_key_ciphertext_blob #=> String
|
2577
|
+
# resp.private_key_plaintext #=> String
|
2578
|
+
# resp.public_key #=> String
|
2579
|
+
# resp.key_id #=> String
|
2580
|
+
# resp.key_pair_spec #=> String, one of "RSA_2048", "RSA_3072", "RSA_4096", "ECC_NIST_P256", "ECC_NIST_P384", "ECC_NIST_P521", "ECC_SECG_P256K1"
|
2581
|
+
#
|
2582
|
+
# @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/GenerateDataKeyPair AWS API Documentation
|
2583
|
+
#
|
2584
|
+
# @overload generate_data_key_pair(params = {})
|
2585
|
+
# @param [Hash] params ({})
|
2586
|
+
def generate_data_key_pair(params = {}, options = {})
|
2587
|
+
req = build_request(:generate_data_key_pair, params)
|
2588
|
+
req.send_request(options)
|
2589
|
+
end
|
2590
|
+
|
2591
|
+
# Generates a unique asymmetric data key pair. The
|
2592
|
+
# `GenerateDataKeyPairWithoutPlaintext` operation returns a plaintext
|
2593
|
+
# public key and a copy of the private key that is encrypted under the
|
2594
|
+
# symmetric CMK you specify. Unlike GenerateDataKeyPair, this operation
|
2595
|
+
# does not return a plaintext private key.
|
2596
|
+
#
|
2597
|
+
# To generate a data key pair, you must specify a symmetric customer
|
2598
|
+
# master key (CMK) to encrypt the private key in the data key pair. You
|
2599
|
+
# cannot use an asymmetric CMK. To get the type of your CMK, use the
|
2600
|
+
# `KeySpec` field in the DescribeKey response.
|
2601
|
+
#
|
2602
|
+
# You can use the public key that `GenerateDataKeyPairWithoutPlaintext`
|
2603
|
+
# returns to encrypt data or verify a signature outside of AWS KMS.
|
2604
|
+
# Then, store the encrypted private key with the data. When you are
|
2605
|
+
# ready to decrypt data or sign a message, you can use the Decrypt
|
2606
|
+
# operation to decrypt the encrypted private key.
|
2607
|
+
#
|
2608
|
+
# `GenerateDataKeyPairWithoutPlaintext` returns a unique data key pair
|
2609
|
+
# for each request. The bytes in the key are not related to the caller
|
2610
|
+
# or CMK that is used to encrypt the private key.
|
2611
|
+
#
|
2612
|
+
# You can use the optional encryption context to add additional security
|
2613
|
+
# to the encryption operation. If you specify an `EncryptionContext`,
|
2614
|
+
# you must specify the same encryption context (a case-sensitive exact
|
2615
|
+
# match) when decrypting the encrypted data key. Otherwise, the request
|
2616
|
+
# to decrypt fails with an InvalidCiphertextException. For more
|
2617
|
+
# information, see [Encryption Context][1] in the *AWS Key Management
|
2618
|
+
# Service Developer Guide*.
|
2619
|
+
#
|
2620
|
+
# The CMK that you use for this operation must be in a compatible key
|
2621
|
+
# state. For details, see [How Key State Affects Use of a Customer
|
2622
|
+
# Master Key][2] in the *AWS Key Management Service Developer Guide*.
|
2623
|
+
#
|
2624
|
+
#
|
2625
|
+
#
|
2626
|
+
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#encrypt_context
|
2627
|
+
# [2]: https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html
|
2628
|
+
#
|
2629
|
+
# @option params [Hash<String,String>] :encryption_context
|
2630
|
+
# Specifies the encryption context that will be used when encrypting the
|
2631
|
+
# private key in the data key pair.
|
2632
|
+
#
|
2633
|
+
# An *encryption context* is a collection of non-secret key-value pairs
|
2634
|
+
# that represents additional authenticated data. When you use an
|
2635
|
+
# encryption context to encrypt data, you must specify the same (an
|
2636
|
+
# exact case-sensitive match) encryption context to decrypt the data. An
|
2637
|
+
# encryption context is optional when encrypting with a symmetric CMK,
|
2638
|
+
# but it is highly recommended.
|
2639
|
+
#
|
2640
|
+
# For more information, see [Encryption Context][1] in the *AWS Key
|
2641
|
+
# Management Service Developer Guide*.
|
2642
|
+
#
|
2643
|
+
#
|
2644
|
+
#
|
2645
|
+
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#encrypt_context
|
2646
|
+
#
|
2647
|
+
# @option params [required, String] :key_id
|
2648
|
+
# Specifies the CMK that encrypts the private key in the data key pair.
|
2649
|
+
# You must specify a symmetric CMK. You cannot use an asymmetric CMK.
|
2650
|
+
#
|
2651
|
+
# To specify a CMK, use its key ID, Amazon Resource Name (ARN), alias
|
2652
|
+
# name, or alias ARN. When using an alias name, prefix it with
|
2653
|
+
# `"alias/"`.
|
2654
|
+
#
|
2655
|
+
# For example:
|
2656
|
+
#
|
2657
|
+
# * Key ID: `1234abcd-12ab-34cd-56ef-1234567890ab`
|
2658
|
+
#
|
2659
|
+
# * Key ARN:
|
2660
|
+
# `arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab`
|
2661
|
+
#
|
2662
|
+
# * Alias name: `alias/ExampleAlias`
|
2663
|
+
#
|
2664
|
+
# * Alias ARN: `arn:aws:kms:us-east-2:111122223333:alias/ExampleAlias`
|
2665
|
+
#
|
2666
|
+
# To get the key ID and key ARN for a CMK, use ListKeys or DescribeKey.
|
2667
|
+
# To get the alias name and alias ARN, use ListAliases.
|
2668
|
+
#
|
2669
|
+
# @option params [required, String] :key_pair_spec
|
2670
|
+
# Determines the type of data key pair that is generated.
|
2671
|
+
#
|
2672
|
+
# The AWS KMS rule that restricts the use of asymmetric RSA CMKs to
|
2673
|
+
# encrypt and decrypt or to sign and verify (but not both), and the rule
|
2674
|
+
# that permits you to use ECC CMKs only to sign and verify, are not
|
2675
|
+
# effective outside of AWS KMS.
|
2676
|
+
#
|
2677
|
+
# @option params [Array<String>] :grant_tokens
|
2678
|
+
# A list of grant tokens.
|
2679
|
+
#
|
2680
|
+
# For more information, see [Grant Tokens][1] in the *AWS Key Management
|
2681
|
+
# Service Developer Guide*.
|
2682
|
+
#
|
2683
|
+
#
|
2684
|
+
#
|
2685
|
+
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#grant_token
|
2686
|
+
#
|
2687
|
+
# @return [Types::GenerateDataKeyPairWithoutPlaintextResponse] Returns a {Seahorse::Client::Response response} object which responds to the following methods:
|
2688
|
+
#
|
2689
|
+
# * {Types::GenerateDataKeyPairWithoutPlaintextResponse#private_key_ciphertext_blob #private_key_ciphertext_blob} => String
|
2690
|
+
# * {Types::GenerateDataKeyPairWithoutPlaintextResponse#public_key #public_key} => String
|
2691
|
+
# * {Types::GenerateDataKeyPairWithoutPlaintextResponse#key_id #key_id} => String
|
2692
|
+
# * {Types::GenerateDataKeyPairWithoutPlaintextResponse#key_pair_spec #key_pair_spec} => String
|
2693
|
+
#
|
2694
|
+
# @example Request syntax with placeholder values
|
2695
|
+
#
|
2696
|
+
# resp = client.generate_data_key_pair_without_plaintext({
|
2697
|
+
# encryption_context: {
|
2698
|
+
# "EncryptionContextKey" => "EncryptionContextValue",
|
2699
|
+
# },
|
2700
|
+
# key_id: "KeyIdType", # required
|
2701
|
+
# key_pair_spec: "RSA_2048", # required, accepts RSA_2048, RSA_3072, RSA_4096, ECC_NIST_P256, ECC_NIST_P384, ECC_NIST_P521, ECC_SECG_P256K1
|
2702
|
+
# grant_tokens: ["GrantTokenType"],
|
2703
|
+
# })
|
2704
|
+
#
|
2705
|
+
# @example Response structure
|
2706
|
+
#
|
2707
|
+
# resp.private_key_ciphertext_blob #=> String
|
2708
|
+
# resp.public_key #=> String
|
2709
|
+
# resp.key_id #=> String
|
2710
|
+
# resp.key_pair_spec #=> String, one of "RSA_2048", "RSA_3072", "RSA_4096", "ECC_NIST_P256", "ECC_NIST_P384", "ECC_NIST_P521", "ECC_SECG_P256K1"
|
2711
|
+
#
|
2712
|
+
# @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/GenerateDataKeyPairWithoutPlaintext AWS API Documentation
|
2713
|
+
#
|
2714
|
+
# @overload generate_data_key_pair_without_plaintext(params = {})
|
2715
|
+
# @param [Hash] params ({})
|
2716
|
+
def generate_data_key_pair_without_plaintext(params = {}, options = {})
|
2717
|
+
req = build_request(:generate_data_key_pair_without_plaintext, params)
|
2718
|
+
req.send_request(options)
|
2719
|
+
end
|
2720
|
+
|
2721
|
+
# Generates a unique symmetric data key. This operation returns a data
|
2722
|
+
# key that is encrypted under a customer master key (CMK) that you
|
2723
|
+
# specify. To request an asymmetric data key pair, use the
|
2724
|
+
# GenerateDataKeyPair or GenerateDataKeyPairWithoutPlaintext operations.
|
2725
|
+
#
|
2726
|
+
# `GenerateDataKeyWithoutPlaintext` is identical to the GenerateDataKey
|
2727
|
+
# operation except that returns only the encrypted copy of the data key.
|
2728
|
+
# This operation is useful for systems that need to encrypt data at some
|
2729
|
+
# point, but not immediately. When you need to encrypt the data, you
|
2730
|
+
# call the Decrypt operation on the encrypted copy of the key.
|
2731
|
+
#
|
2732
|
+
# It's also useful in distributed systems with different levels of
|
2733
|
+
# trust. For example, you might store encrypted data in containers. One
|
2734
|
+
# component of your system creates new containers and stores an
|
2735
|
+
# encrypted data key with each container. Then, a different component
|
2736
|
+
# puts the data into the containers. That component first decrypts the
|
2737
|
+
# data key, uses the plaintext data key to encrypt data, puts the
|
2738
|
+
# encrypted data into the container, and then destroys the plaintext
|
2739
|
+
# data key. In this system, the component that creates the containers
|
2740
|
+
# never sees the plaintext data key.
|
2741
|
+
#
|
2742
|
+
# `GenerateDataKeyWithoutPlaintext` returns a unique data key for each
|
2743
|
+
# request. The bytes in the keys are not related to the caller or CMK
|
2744
|
+
# that is used to encrypt the private key.
|
2745
|
+
#
|
2746
|
+
# To generate a data key, you must specify the symmetric customer master
|
2747
|
+
# key (CMK) that is used to encrypt the data key. You cannot use an
|
2748
|
+
# asymmetric CMK to generate a data key. To get the type of your CMK,
|
2749
|
+
# use the `KeySpec` field in the DescribeKey response. You must also
|
2750
|
+
# specify the length of the data key using either the `KeySpec` or
|
2751
|
+
# `NumberOfBytes` field (but not both). For common key lengths (128-bit
|
2752
|
+
# and 256-bit symmetric keys), use the `KeySpec` parameter.
|
2753
|
+
#
|
2754
|
+
# If the operation succeeds, you will find the plaintext copy of the
|
2755
|
+
# data key in the `Plaintext` field of the response, and the encrypted
|
2756
|
+
# copy of the data key in the `CiphertextBlob` field.
|
2757
|
+
#
|
2758
|
+
# You can use the optional encryption context to add additional security
|
2759
|
+
# to the encryption operation. If you specify an `EncryptionContext`,
|
2760
|
+
# you must specify the same encryption context (a case-sensitive exact
|
2761
|
+
# match) when decrypting the encrypted data key. Otherwise, the request
|
2762
|
+
# to decrypt fails with an InvalidCiphertextException. For more
|
2763
|
+
# information, see [Encryption Context][1] in the *AWS Key Management
|
2764
|
+
# Service Developer Guide*.
|
2765
|
+
#
|
2766
|
+
# The CMK that you use for this operation must be in a compatible key
|
2767
|
+
# state. For details, see [How Key State Affects Use of a Customer
|
2768
|
+
# Master Key][2] in the *AWS Key Management Service Developer Guide*.
|
2769
|
+
#
|
2770
|
+
#
|
2771
|
+
#
|
2772
|
+
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#encrypt_context
|
2773
|
+
# [2]: https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html
|
2774
|
+
#
|
2775
|
+
# @option params [required, String] :key_id
|
2776
|
+
# The identifier of the symmetric customer master key (CMK) that
|
2777
|
+
# encrypts the data key.
|
2778
|
+
#
|
2779
|
+
# To specify a CMK, use its key ID, Amazon Resource Name (ARN), alias
|
2780
|
+
# name, or alias ARN. When using an alias name, prefix it with
|
2781
|
+
# `"alias/"`. To specify a CMK in a different AWS account, you must use
|
2782
|
+
# the key ARN or alias ARN.
|
2783
|
+
#
|
2784
|
+
# For example:
|
2785
|
+
#
|
2786
|
+
# * Key ID: `1234abcd-12ab-34cd-56ef-1234567890ab`
|
2787
|
+
#
|
2788
|
+
# * Key ARN:
|
2789
|
+
# `arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab`
|
2790
|
+
#
|
2791
|
+
# * Alias name: `alias/ExampleAlias`
|
2792
|
+
#
|
2793
|
+
# * Alias ARN: `arn:aws:kms:us-east-2:111122223333:alias/ExampleAlias`
|
2794
|
+
#
|
2795
|
+
# To get the key ID and key ARN for a CMK, use ListKeys or DescribeKey.
|
2796
|
+
# To get the alias name and alias ARN, use ListAliases.
|
2797
|
+
#
|
2798
|
+
# @option params [Hash<String,String>] :encryption_context
|
2799
|
+
# Specifies the encryption context that will be used when encrypting the
|
2800
|
+
# data key.
|
2801
|
+
#
|
2802
|
+
# An *encryption context* is a collection of non-secret key-value pairs
|
2803
|
+
# that represents additional authenticated data. When you use an
|
2804
|
+
# encryption context to encrypt data, you must specify the same (an
|
2805
|
+
# exact case-sensitive match) encryption context to decrypt the data. An
|
2806
|
+
# encryption context is optional when encrypting with a symmetric CMK,
|
2807
|
+
# but it is highly recommended.
|
2808
|
+
#
|
2809
|
+
# For more information, see [Encryption Context][1] in the *AWS Key
|
2810
|
+
# Management Service Developer Guide*.
|
2811
|
+
#
|
2812
|
+
#
|
2813
|
+
#
|
2814
|
+
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#encrypt_context
|
2815
|
+
#
|
2816
|
+
# @option params [String] :key_spec
|
2817
|
+
# The length of the data key. Use `AES_128` to generate a 128-bit
|
2818
|
+
# symmetric key, or `AES_256` to generate a 256-bit symmetric key.
|
2819
|
+
#
|
2820
|
+
# @option params [Integer] :number_of_bytes
|
2821
|
+
# The length of the data key in bytes. For example, use the value 64 to
|
2822
|
+
# generate a 512-bit data key (64 bytes is 512 bits). For common key
|
2823
|
+
# lengths (128-bit and 256-bit symmetric keys), we recommend that you
|
2824
|
+
# use the `KeySpec` field instead of this one.
|
2825
|
+
#
|
2826
|
+
# @option params [Array<String>] :grant_tokens
|
2827
|
+
# A list of grant tokens.
|
2828
|
+
#
|
2829
|
+
# For more information, see [Grant Tokens][1] in the *AWS Key Management
|
2830
|
+
# Service Developer Guide*.
|
2831
|
+
#
|
2832
|
+
#
|
2833
|
+
#
|
2834
|
+
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#grant_token
|
2835
|
+
#
|
2836
|
+
# @return [Types::GenerateDataKeyWithoutPlaintextResponse] Returns a {Seahorse::Client::Response response} object which responds to the following methods:
|
2837
|
+
#
|
2838
|
+
# * {Types::GenerateDataKeyWithoutPlaintextResponse#ciphertext_blob #ciphertext_blob} => String
|
2839
|
+
# * {Types::GenerateDataKeyWithoutPlaintextResponse#key_id #key_id} => String
|
2840
|
+
#
|
2841
|
+
#
|
2842
|
+
# @example Example: To generate an encrypted data key
|
2843
|
+
#
|
2844
|
+
# # The following example generates an encrypted copy of a 256-bit symmetric data encryption key (data key). The data key is
|
2845
|
+
# # encrypted with the specified customer master key (CMK).
|
2846
|
+
#
|
2847
|
+
# resp = client.generate_data_key_without_plaintext({
|
2848
|
+
# key_id: "alias/ExampleAlias", # The identifier of the CMK to use to encrypt the data key. You can use the key ID or Amazon Resource Name (ARN) of the CMK, or the name or ARN of an alias that refers to the CMK.
|
2849
|
+
# key_spec: "AES_256", # Specifies the type of data key to return.
|
2850
|
+
# })
|
2851
|
+
#
|
2852
|
+
# resp.to_h outputs the following:
|
2853
|
+
# {
|
2854
|
+
# ciphertext_blob: "<binary data>", # The encrypted data key.
|
2855
|
+
# key_id: "arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab", # The ARN of the CMK that was used to encrypt the data key.
|
2856
|
+
# }
|
2857
|
+
#
|
2858
|
+
# @example Request syntax with placeholder values
|
2859
|
+
#
|
2860
|
+
# resp = client.generate_data_key_without_plaintext({
|
2861
|
+
# key_id: "KeyIdType", # required
|
2862
|
+
# encryption_context: {
|
2863
|
+
# "EncryptionContextKey" => "EncryptionContextValue",
|
2864
|
+
# },
|
2865
|
+
# key_spec: "AES_256", # accepts AES_256, AES_128
|
2126
2866
|
# number_of_bytes: 1,
|
2127
2867
|
# grant_tokens: ["GrantTokenType"],
|
2128
2868
|
# })
|
@@ -2270,9 +3010,13 @@ module Aws::KMS
|
|
2270
3010
|
# key material][1] is enabled for the specified customer master key
|
2271
3011
|
# (CMK).
|
2272
3012
|
#
|
2273
|
-
#
|
2274
|
-
#
|
2275
|
-
#
|
3013
|
+
# You cannot enable automatic rotation of asymmetric CMKs, CMKs with
|
3014
|
+
# imported key material, or CMKs in a [custom key store][2]. The key
|
3015
|
+
# rotation status for these CMKs is always `false`.
|
3016
|
+
#
|
3017
|
+
# The CMK that you use for this operation must be in a compatible key
|
3018
|
+
# state. For details, see [How Key State Affects Use of a Customer
|
3019
|
+
# Master Key][3] in the *AWS Key Management Service Developer Guide*.
|
2276
3020
|
#
|
2277
3021
|
# * Disabled: The key rotation status does not change when you disable a
|
2278
3022
|
# CMK. However, while the CMK is disabled, AWS KMS does not rotate the
|
@@ -2289,7 +3033,8 @@ module Aws::KMS
|
|
2289
3033
|
#
|
2290
3034
|
#
|
2291
3035
|
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/rotate-keys.html
|
2292
|
-
# [2]: https://docs.aws.amazon.com/kms/latest/developerguide/key-
|
3036
|
+
# [2]: https://docs.aws.amazon.com/kms/latest/developerguide/custom-key-store-overview.html
|
3037
|
+
# [3]: https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html
|
2293
3038
|
#
|
2294
3039
|
# @option params [required, String] :key_id
|
2295
3040
|
# A unique identifier for the customer master key (CMK).
|
@@ -2343,29 +3088,32 @@ module Aws::KMS
|
|
2343
3088
|
req.send_request(options)
|
2344
3089
|
end
|
2345
3090
|
|
2346
|
-
# Returns the items you need
|
2347
|
-
#
|
2348
|
-
#
|
2349
|
-
#
|
2350
|
-
#
|
2351
|
-
# You must specify the key ID of the customer master key (CMK) into
|
2352
|
-
# which you will import key material. This CMK's `Origin` must be
|
2353
|
-
# `EXTERNAL`. You must also specify the wrapping algorithm and type of
|
2354
|
-
# wrapping key (public key) that you will use to encrypt the key
|
2355
|
-
# material. You cannot perform this operation on a CMK in a different
|
2356
|
-
# AWS account.
|
3091
|
+
# Returns the items you need to import key material into a symmetric,
|
3092
|
+
# customer managed customer master key (CMK). For more information about
|
3093
|
+
# importing key material into AWS KMS, see [Importing Key Material][1]
|
3094
|
+
# in the *AWS Key Management Service Developer Guide*.
|
2357
3095
|
#
|
2358
3096
|
# This operation returns a public key and an import token. Use the
|
2359
|
-
# public key to encrypt the key material. Store the import
|
2360
|
-
# with a subsequent ImportKeyMaterial request.
|
2361
|
-
#
|
2362
|
-
#
|
2363
|
-
#
|
3097
|
+
# public key to encrypt the symmetric key material. Store the import
|
3098
|
+
# token to send with a subsequent ImportKeyMaterial request.
|
3099
|
+
#
|
3100
|
+
# You must specify the key ID of the symmetric CMK into which you will
|
3101
|
+
# import key material. This CMK's `Origin` must be `EXTERNAL`. You must
|
3102
|
+
# also specify the wrapping algorithm and type of wrapping key (public
|
3103
|
+
# key) that you will use to encrypt the key material. You cannot perform
|
3104
|
+
# this operation on an asymmetric CMK or on any CMK in a different AWS
|
3105
|
+
# account.
|
3106
|
+
#
|
3107
|
+
# To import key material, you must use the public key and import token
|
3108
|
+
# from the same response. These items are valid for 24 hours. The
|
3109
|
+
# expiration date and time appear in the `GetParametersForImport`
|
3110
|
+
# response. You cannot use an expired token in an ImportKeyMaterial
|
3111
|
+
# request. If your key and token expire, send another
|
2364
3112
|
# `GetParametersForImport` request.
|
2365
3113
|
#
|
2366
|
-
# The
|
2367
|
-
# details, see [How Key State Affects Use of a Customer
|
2368
|
-
# in the *AWS Key Management Service Developer Guide*.
|
3114
|
+
# The CMK that you use for this operation must be in a compatible key
|
3115
|
+
# state. For details, see [How Key State Affects Use of a Customer
|
3116
|
+
# Master Key][2] in the *AWS Key Management Service Developer Guide*.
|
2369
3117
|
#
|
2370
3118
|
#
|
2371
3119
|
#
|
@@ -2373,8 +3121,8 @@ module Aws::KMS
|
|
2373
3121
|
# [2]: https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html
|
2374
3122
|
#
|
2375
3123
|
# @option params [required, String] :key_id
|
2376
|
-
# The identifier of the CMK into which you will import key
|
2377
|
-
#
|
3124
|
+
# The identifier of the symmetric CMK into which you will import key
|
3125
|
+
# material. The `Origin` of the CMK must be `EXTERNAL`.
|
2378
3126
|
#
|
2379
3127
|
# Specify the key ID or the Amazon Resource Name (ARN) of the CMK.
|
2380
3128
|
#
|
@@ -2451,12 +3199,136 @@ module Aws::KMS
|
|
2451
3199
|
req.send_request(options)
|
2452
3200
|
end
|
2453
3201
|
|
2454
|
-
#
|
2455
|
-
#
|
2456
|
-
#
|
2457
|
-
#
|
2458
|
-
#
|
2459
|
-
#
|
3202
|
+
# Returns the public key of an asymmetric CMK. Unlike the private key of
|
3203
|
+
# a asymmetric CMK, which never leaves AWS KMS unencrypted, callers with
|
3204
|
+
# `kms:GetPublicKey` permission can download the public key of an
|
3205
|
+
# asymmetric CMK. You can share the public key to allow others to
|
3206
|
+
# encrypt messages and verify signatures outside of AWS KMS. For
|
3207
|
+
# information about symmetric and asymmetric CMKs, see [Using Symmetric
|
3208
|
+
# and Asymmetric CMKs][1] in the *AWS Key Management Service Developer
|
3209
|
+
# Guide*.
|
3210
|
+
#
|
3211
|
+
# You do not need to download the public key. Instead, you can use the
|
3212
|
+
# public key within AWS KMS by calling the Encrypt, ReEncrypt, or Verify
|
3213
|
+
# operations with the identifier of an asymmetric CMK. When you use the
|
3214
|
+
# public key within AWS KMS, you benefit from the authentication,
|
3215
|
+
# authorization, and logging that are part of every AWS KMS operation.
|
3216
|
+
# You also reduce of risk of encrypting data that cannot be decrypted.
|
3217
|
+
# These features are not effective outside of AWS KMS. For details, see
|
3218
|
+
# [Special Considerations for Downloading Public Keys][2].
|
3219
|
+
#
|
3220
|
+
# To help you use the public key safely outside of AWS KMS,
|
3221
|
+
# `GetPublicKey` returns important information about the public key in
|
3222
|
+
# the response, including:
|
3223
|
+
#
|
3224
|
+
# * [CustomerMasterKeySpec][3]\: The type of key material in the public
|
3225
|
+
# key, such as `RSA_4096` or `ECC_NIST_P521`.
|
3226
|
+
#
|
3227
|
+
# * [KeyUsage][4]\: Whether the key is used for encryption or signing.
|
3228
|
+
#
|
3229
|
+
# * [EncryptionAlgorithms][5] or [SigningAlgorithms][6]\: A list of the
|
3230
|
+
# encryption algorithms or the signing algorithms for the key.
|
3231
|
+
#
|
3232
|
+
# Although AWS KMS cannot enforce these restrictions on external
|
3233
|
+
# operations, it is crucial that you use this information to prevent the
|
3234
|
+
# public key from being used improperly. For example, you can prevent a
|
3235
|
+
# public signing key from being used encrypt data, or prevent a public
|
3236
|
+
# key from being used with an encryption algorithm that is not supported
|
3237
|
+
# by AWS KMS. You can also avoid errors, such as using the wrong signing
|
3238
|
+
# algorithm in a verification operation.
|
3239
|
+
#
|
3240
|
+
# The CMK that you use for this operation must be in a compatible key
|
3241
|
+
# state. For details, see [How Key State Affects Use of a Customer
|
3242
|
+
# Master Key][7] in the *AWS Key Management Service Developer Guide*.
|
3243
|
+
#
|
3244
|
+
#
|
3245
|
+
#
|
3246
|
+
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/symmetric-asymmetric.html
|
3247
|
+
# [2]: https://docs.aws.amazon.com/kms/latest/developerguide/download-public-key.html#download-public-key-considerations
|
3248
|
+
# [3]: https://docs.aws.amazon.com/kms/latest/APIReference/API_GetPublicKey.html#KMS-GetPublicKey-response-CustomerMasterKeySpec
|
3249
|
+
# [4]: https://docs.aws.amazon.com/kms/latest/APIReference/API_GetPublicKey.html#KMS-GetPublicKey-response-KeyUsage
|
3250
|
+
# [5]: https://docs.aws.amazon.com/kms/latest/APIReference/API_GetPublicKey.html#KMS-GetPublicKey-response-EncryptionAlgorithms
|
3251
|
+
# [6]: https://docs.aws.amazon.com/kms/latest/APIReference/API_GetPublicKey.html#KMS-GetPublicKey-response-SigningAlgorithms
|
3252
|
+
# [7]: https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html
|
3253
|
+
#
|
3254
|
+
# @option params [required, String] :key_id
|
3255
|
+
# Identifies the asymmetric CMK that includes the public key.
|
3256
|
+
#
|
3257
|
+
# To specify a CMK, use its key ID, Amazon Resource Name (ARN), alias
|
3258
|
+
# name, or alias ARN. When using an alias name, prefix it with
|
3259
|
+
# `"alias/"`. To specify a CMK in a different AWS account, you must use
|
3260
|
+
# the key ARN or alias ARN.
|
3261
|
+
#
|
3262
|
+
# For example:
|
3263
|
+
#
|
3264
|
+
# * Key ID: `1234abcd-12ab-34cd-56ef-1234567890ab`
|
3265
|
+
#
|
3266
|
+
# * Key ARN:
|
3267
|
+
# `arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab`
|
3268
|
+
#
|
3269
|
+
# * Alias name: `alias/ExampleAlias`
|
3270
|
+
#
|
3271
|
+
# * Alias ARN: `arn:aws:kms:us-east-2:111122223333:alias/ExampleAlias`
|
3272
|
+
#
|
3273
|
+
# To get the key ID and key ARN for a CMK, use ListKeys or DescribeKey.
|
3274
|
+
# To get the alias name and alias ARN, use ListAliases.
|
3275
|
+
#
|
3276
|
+
# @option params [Array<String>] :grant_tokens
|
3277
|
+
# A list of grant tokens.
|
3278
|
+
#
|
3279
|
+
# For more information, see [Grant Tokens][1] in the *AWS Key Management
|
3280
|
+
# Service Developer Guide*.
|
3281
|
+
#
|
3282
|
+
#
|
3283
|
+
#
|
3284
|
+
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#grant_token
|
3285
|
+
#
|
3286
|
+
# @return [Types::GetPublicKeyResponse] Returns a {Seahorse::Client::Response response} object which responds to the following methods:
|
3287
|
+
#
|
3288
|
+
# * {Types::GetPublicKeyResponse#key_id #key_id} => String
|
3289
|
+
# * {Types::GetPublicKeyResponse#public_key #public_key} => String
|
3290
|
+
# * {Types::GetPublicKeyResponse#customer_master_key_spec #customer_master_key_spec} => String
|
3291
|
+
# * {Types::GetPublicKeyResponse#key_usage #key_usage} => String
|
3292
|
+
# * {Types::GetPublicKeyResponse#encryption_algorithms #encryption_algorithms} => Array<String>
|
3293
|
+
# * {Types::GetPublicKeyResponse#signing_algorithms #signing_algorithms} => Array<String>
|
3294
|
+
#
|
3295
|
+
# @example Request syntax with placeholder values
|
3296
|
+
#
|
3297
|
+
# resp = client.get_public_key({
|
3298
|
+
# key_id: "KeyIdType", # required
|
3299
|
+
# grant_tokens: ["GrantTokenType"],
|
3300
|
+
# })
|
3301
|
+
#
|
3302
|
+
# @example Response structure
|
3303
|
+
#
|
3304
|
+
# resp.key_id #=> String
|
3305
|
+
# resp.public_key #=> String
|
3306
|
+
# resp.customer_master_key_spec #=> String, one of "RSA_2048", "RSA_3072", "RSA_4096", "ECC_NIST_P256", "ECC_NIST_P384", "ECC_NIST_P521", "ECC_SECG_P256K1", "SYMMETRIC_DEFAULT"
|
3307
|
+
# resp.key_usage #=> String, one of "SIGN_VERIFY", "ENCRYPT_DECRYPT"
|
3308
|
+
# resp.encryption_algorithms #=> Array
|
3309
|
+
# resp.encryption_algorithms[0] #=> String, one of "SYMMETRIC_DEFAULT", "RSAES_OAEP_SHA_1", "RSAES_OAEP_SHA_256"
|
3310
|
+
# resp.signing_algorithms #=> Array
|
3311
|
+
# resp.signing_algorithms[0] #=> String, one of "RSASSA_PSS_SHA_256", "RSASSA_PSS_SHA_384", "RSASSA_PSS_SHA_512", "RSASSA_PKCS1_V1_5_SHA_256", "RSASSA_PKCS1_V1_5_SHA_384", "RSASSA_PKCS1_V1_5_SHA_512", "ECDSA_SHA_256", "ECDSA_SHA_384", "ECDSA_SHA_512"
|
3312
|
+
#
|
3313
|
+
# @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/GetPublicKey AWS API Documentation
|
3314
|
+
#
|
3315
|
+
# @overload get_public_key(params = {})
|
3316
|
+
# @param [Hash] params ({})
|
3317
|
+
def get_public_key(params = {}, options = {})
|
3318
|
+
req = build_request(:get_public_key, params)
|
3319
|
+
req.send_request(options)
|
3320
|
+
end
|
3321
|
+
|
3322
|
+
# Imports key material into an existing symmetric AWS KMS customer
|
3323
|
+
# master key (CMK) that was created without key material. After you
|
3324
|
+
# successfully import key material into a CMK, you can [reimport the
|
3325
|
+
# same key material][1] into that CMK, but you cannot import different
|
3326
|
+
# key material.
|
3327
|
+
#
|
3328
|
+
# You cannot perform this operation on an asymmetric CMK or on any CMK
|
3329
|
+
# in a different AWS account. For more information about creating CMKs
|
3330
|
+
# with no key material and then importing key material, see [Importing
|
3331
|
+
# Key Material][2] in the *AWS Key Management Service Developer Guide*.
|
2460
3332
|
#
|
2461
3333
|
# Before using this operation, call GetParametersForImport. Its response
|
2462
3334
|
# includes a public key and an import token. Use the public key to
|
@@ -2475,35 +3347,43 @@ module Aws::KMS
|
|
2475
3347
|
# * The encrypted key material. To get the public key to encrypt the key
|
2476
3348
|
# material, call GetParametersForImport.
|
2477
3349
|
#
|
2478
|
-
# * The import token that GetParametersForImport returned.
|
2479
|
-
#
|
2480
|
-
#
|
3350
|
+
# * The import token that GetParametersForImport returned. You must use
|
3351
|
+
# a public key and token from the same `GetParametersForImport`
|
3352
|
+
# response.
|
2481
3353
|
#
|
2482
3354
|
# * Whether the key material expires and if so, when. If you set an
|
2483
|
-
# expiration date,
|
2484
|
-
#
|
2485
|
-
#
|
2486
|
-
#
|
2487
|
-
#
|
3355
|
+
# expiration date, AWS KMS deletes the key material from the CMK on
|
3356
|
+
# the specified date, and the CMK becomes unusable. To use the CMK
|
3357
|
+
# again, you must reimport the same key material. The only way to
|
3358
|
+
# change an expiration date is by reimporting the same key material
|
3359
|
+
# and specifying a new expiration date.
|
2488
3360
|
#
|
2489
3361
|
# When this operation is successful, the key state of the CMK changes
|
2490
|
-
# from `PendingImport` to `Enabled`, and you can use the CMK.
|
2491
|
-
# successfully import key material into a CMK, you can reimport the same
|
2492
|
-
# key material into that CMK, but you cannot import different key
|
2493
|
-
# material.
|
3362
|
+
# from `PendingImport` to `Enabled`, and you can use the CMK.
|
2494
3363
|
#
|
2495
|
-
#
|
2496
|
-
#
|
2497
|
-
#
|
3364
|
+
# If this operation fails, use the exception to help determine the
|
3365
|
+
# problem. If the error is related to the key material, the import
|
3366
|
+
# token, or wrapping key, use GetParametersForImport to get a new public
|
3367
|
+
# key and import token for the CMK and repeat the import procedure. For
|
3368
|
+
# help, see [How To Import Key Material][3] in the *AWS Key Management
|
3369
|
+
# Service Developer Guide*.
|
2498
3370
|
#
|
3371
|
+
# The CMK that you use for this operation must be in a compatible key
|
3372
|
+
# state. For details, see [How Key State Affects Use of a Customer
|
3373
|
+
# Master Key][4] in the *AWS Key Management Service Developer Guide*.
|
2499
3374
|
#
|
2500
3375
|
#
|
2501
|
-
#
|
2502
|
-
# [
|
3376
|
+
#
|
3377
|
+
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/importing-keys.html#reimport-key-material
|
3378
|
+
# [2]: https://docs.aws.amazon.com/kms/latest/developerguide/importing-keys.html
|
3379
|
+
# [3]: https://docs.aws.amazon.com/kms/latest/developerguide/importing-keys.html#importing-keys-overview
|
3380
|
+
# [4]: https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html
|
2503
3381
|
#
|
2504
3382
|
# @option params [required, String] :key_id
|
2505
|
-
# The identifier of the CMK
|
2506
|
-
# `Origin` must be `EXTERNAL`.
|
3383
|
+
# The identifier of the symmetric CMK that receives the imported key
|
3384
|
+
# material. The CMK's `Origin` must be `EXTERNAL`. This must be the
|
3385
|
+
# same CMK specified in the `KeyID` parameter of the corresponding
|
3386
|
+
# GetParametersForImport request.
|
2507
3387
|
#
|
2508
3388
|
# Specify the key ID or the Amazon Resource Name (ARN) of the CMK.
|
2509
3389
|
#
|
@@ -2522,10 +3402,10 @@ module Aws::KMS
|
|
2522
3402
|
# contained the public key that you used to encrypt the key material.
|
2523
3403
|
#
|
2524
3404
|
# @option params [required, String, IO] :encrypted_key_material
|
2525
|
-
# The encrypted key material to import.
|
2526
|
-
#
|
2527
|
-
#
|
2528
|
-
#
|
3405
|
+
# The encrypted key material to import. The key material must be
|
3406
|
+
# encrypted with the public wrapping key that GetParametersForImport
|
3407
|
+
# returned, using the wrapping algorithm that you specified in the same
|
3408
|
+
# `GetParametersForImport` request.
|
2529
3409
|
#
|
2530
3410
|
# @option params [Time,DateTime,Date,Integer,String] :valid_to
|
2531
3411
|
# The time at which the imported key material expires. When the key
|
@@ -2831,7 +3711,7 @@ module Aws::KMS
|
|
2831
3711
|
# resp.grants[0].retiring_principal #=> String
|
2832
3712
|
# resp.grants[0].issuing_account #=> String
|
2833
3713
|
# resp.grants[0].operations #=> Array
|
2834
|
-
# resp.grants[0].operations[0] #=> String, one of "Decrypt", "Encrypt", "GenerateDataKey", "GenerateDataKeyWithoutPlaintext", "ReEncryptFrom", "ReEncryptTo", "CreateGrant", "RetireGrant", "DescribeKey"
|
3714
|
+
# resp.grants[0].operations[0] #=> String, one of "Decrypt", "Encrypt", "GenerateDataKey", "GenerateDataKeyWithoutPlaintext", "ReEncryptFrom", "ReEncryptTo", "Sign", "Verify", "GetPublicKey", "CreateGrant", "RetireGrant", "DescribeKey", "GenerateDataKeyPair", "GenerateDataKeyPairWithoutPlaintext"
|
2835
3715
|
# resp.grants[0].constraints.encryption_context_subset #=> Hash
|
2836
3716
|
# resp.grants[0].constraints.encryption_context_subset["EncryptionContextKey"] #=> String
|
2837
3717
|
# resp.grants[0].constraints.encryption_context_equals #=> Hash
|
@@ -2932,7 +3812,7 @@ module Aws::KMS
|
|
2932
3812
|
end
|
2933
3813
|
|
2934
3814
|
# Gets a list of all customer master keys (CMKs) in the caller's AWS
|
2935
|
-
# account and
|
3815
|
+
# account and Region.
|
2936
3816
|
#
|
2937
3817
|
# @option params [Integer] :limit
|
2938
3818
|
# Use this parameter to specify the maximum number of items to return.
|
@@ -3202,7 +4082,7 @@ module Aws::KMS
|
|
3202
4082
|
# resp.grants[0].retiring_principal #=> String
|
3203
4083
|
# resp.grants[0].issuing_account #=> String
|
3204
4084
|
# resp.grants[0].operations #=> Array
|
3205
|
-
# resp.grants[0].operations[0] #=> String, one of "Decrypt", "Encrypt", "GenerateDataKey", "GenerateDataKeyWithoutPlaintext", "ReEncryptFrom", "ReEncryptTo", "CreateGrant", "RetireGrant", "DescribeKey"
|
4085
|
+
# resp.grants[0].operations[0] #=> String, one of "Decrypt", "Encrypt", "GenerateDataKey", "GenerateDataKeyWithoutPlaintext", "ReEncryptFrom", "ReEncryptTo", "Sign", "Verify", "GetPublicKey", "CreateGrant", "RetireGrant", "DescribeKey", "GenerateDataKeyPair", "GenerateDataKeyPairWithoutPlaintext"
|
3206
4086
|
# resp.grants[0].constraints.encryption_context_subset #=> Hash
|
3207
4087
|
# resp.grants[0].constraints.encryption_context_subset["EncryptionContextKey"] #=> String
|
3208
4088
|
# resp.grants[0].constraints.encryption_context_equals #=> Hash
|
@@ -3326,40 +4206,142 @@ module Aws::KMS
|
|
3326
4206
|
req.send_request(options)
|
3327
4207
|
end
|
3328
4208
|
|
3329
|
-
#
|
3330
|
-
#
|
3331
|
-
# data is
|
3332
|
-
#
|
3333
|
-
#
|
3334
|
-
#
|
3335
|
-
#
|
3336
|
-
#
|
3337
|
-
#
|
3338
|
-
#
|
3339
|
-
#
|
3340
|
-
#
|
3341
|
-
#
|
3342
|
-
#
|
3343
|
-
#
|
3344
|
-
#
|
3345
|
-
#
|
3346
|
-
#
|
3347
|
-
#
|
4209
|
+
# Decrypts ciphertext and then reencrypts it entirely within AWS KMS.
|
4210
|
+
# You can use this operation to change the customer master key (CMK)
|
4211
|
+
# under which data is encrypted, such as when you [manually rotate][1] a
|
4212
|
+
# CMK or change the CMK that protects a ciphertext. You can also use it
|
4213
|
+
# to reencrypt ciphertext under the same CMK, such as to change the
|
4214
|
+
# encryption context of a ciphertext.
|
4215
|
+
#
|
4216
|
+
# The `ReEncrypt` operation can decrypt ciphertext that was encrypted by
|
4217
|
+
# using an AWS KMS CMK in an AWS KMS operation, such as Encrypt or
|
4218
|
+
# GenerateDataKey. It can also decrypt ciphertext that was encrypted by
|
4219
|
+
# using the public key of an asymmetric CMK outside of AWS KMS. However,
|
4220
|
+
# it cannot decrypt ciphertext produced by other libraries, such as the
|
4221
|
+
# [AWS Encryption SDK][2] or [Amazon S3 client-side encryption][3].
|
4222
|
+
# These libraries return a ciphertext format that is incompatible with
|
4223
|
+
# AWS KMS.
|
4224
|
+
#
|
4225
|
+
# When you use the `ReEncrypt` operation, you need to provide
|
4226
|
+
# information for the decrypt operation and the subsequent encrypt
|
4227
|
+
# operation.
|
3348
4228
|
#
|
4229
|
+
# * If your ciphertext was encrypted under an asymmetric CMK, you must
|
4230
|
+
# identify the *source CMK*, that is, the CMK that encrypted the
|
4231
|
+
# ciphertext. You must also supply the encryption algorithm that was
|
4232
|
+
# used. This information is required to decrypt the data.
|
4233
|
+
#
|
4234
|
+
# * It is optional, but you can specify a source CMK even when the
|
4235
|
+
# ciphertext was encrypted under a symmetric CMK. This ensures that
|
4236
|
+
# the ciphertext is decrypted only by using a particular CMK. If the
|
4237
|
+
# CMK that you specify cannot decrypt the ciphertext, the `ReEncrypt`
|
4238
|
+
# operation fails.
|
4239
|
+
#
|
4240
|
+
# * To reencrypt the data, you must specify the *destination CMK*, that
|
4241
|
+
# is, the CMK that re-encrypts the data after it is decrypted. You can
|
4242
|
+
# select a symmetric or asymmetric CMK. If the destination CMK is an
|
4243
|
+
# asymmetric CMK, you must also provide the encryption algorithm. The
|
4244
|
+
# algorithm that you choose must be compatible with the CMK.
|
4245
|
+
#
|
4246
|
+
# When you use an asymmetric CMK to encrypt or reencrypt data, be sure
|
4247
|
+
# to record the CMK and encryption algorithm that you choose. You will
|
4248
|
+
# be required to provide the same CMK and encryption algorithm when
|
4249
|
+
# you decrypt the data. If the CMK and algorithm do not match the
|
4250
|
+
# values used to encrypt the data, the decrypt operation fails.
|
4251
|
+
#
|
4252
|
+
# You are not required to supply the CMK ID and encryption algorithm
|
4253
|
+
# when you decrypt with symmetric CMKs because AWS KMS stores this
|
4254
|
+
# information in the ciphertext blob. AWS KMS cannot store metadata in
|
4255
|
+
# ciphertext generated with asymmetric keys. The standard format for
|
4256
|
+
# asymmetric key ciphertext does not include configurable fields.
|
4257
|
+
#
|
4258
|
+
# Unlike other AWS KMS API operations, `ReEncrypt` callers must have two
|
4259
|
+
# permissions:
|
4260
|
+
#
|
4261
|
+
# * `kms:EncryptFrom` permission on the source CMK
|
4262
|
+
#
|
4263
|
+
# * `kms:EncryptTo` permission on the destination CMK
|
4264
|
+
#
|
4265
|
+
# To permit reencryption from
|
4266
|
+
#
|
4267
|
+
# or to a CMK, include the `"kms:ReEncrypt*"` permission in your [key
|
4268
|
+
# policy][4]. This permission is automatically included in the key
|
4269
|
+
# policy when you use the console to create a CMK. But you must include
|
4270
|
+
# it manually when you create a CMK programmatically or when you use the
|
4271
|
+
# PutKeyPolicy operation set a key policy.
|
4272
|
+
#
|
4273
|
+
# The CMK that you use for this operation must be in a compatible key
|
4274
|
+
# state. For details, see [How Key State Affects Use of a Customer
|
4275
|
+
# Master Key][5] in the *AWS Key Management Service Developer Guide*.
|
3349
4276
|
#
|
3350
4277
|
#
|
3351
|
-
#
|
3352
|
-
# [
|
4278
|
+
#
|
4279
|
+
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/rotate-keys.html#rotate-keys-manually
|
4280
|
+
# [2]: https://docs.aws.amazon.com/encryption-sdk/latest/developer-guide/
|
4281
|
+
# [3]: https://docs.aws.amazon.com/AmazonS3/latest/dev/UsingClientSideEncryption.html
|
4282
|
+
# [4]: https://docs.aws.amazon.com/kms/latest/developerguide/key-policies.html
|
4283
|
+
# [5]: https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html
|
3353
4284
|
#
|
3354
4285
|
# @option params [required, String, IO] :ciphertext_blob
|
3355
4286
|
# Ciphertext of the data to reencrypt.
|
3356
4287
|
#
|
3357
4288
|
# @option params [Hash<String,String>] :source_encryption_context
|
3358
|
-
#
|
3359
|
-
# the
|
4289
|
+
# Specifies the encryption context to use to decrypt the ciphertext.
|
4290
|
+
# Enter the same encryption context that was used to encrypt the
|
4291
|
+
# ciphertext.
|
4292
|
+
#
|
4293
|
+
# An *encryption context* is a collection of non-secret key-value pairs
|
4294
|
+
# that represents additional authenticated data. When you use an
|
4295
|
+
# encryption context to encrypt data, you must specify the same (an
|
4296
|
+
# exact case-sensitive match) encryption context to decrypt the data. An
|
4297
|
+
# encryption context is optional when encrypting with a symmetric CMK,
|
4298
|
+
# but it is highly recommended.
|
4299
|
+
#
|
4300
|
+
# For more information, see [Encryption Context][1] in the *AWS Key
|
4301
|
+
# Management Service Developer Guide*.
|
4302
|
+
#
|
4303
|
+
#
|
4304
|
+
#
|
4305
|
+
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#encrypt_context
|
4306
|
+
#
|
4307
|
+
# @option params [String] :source_key_id
|
4308
|
+
# A unique identifier for the CMK that is used to decrypt the ciphertext
|
4309
|
+
# before it reencrypts it using the destination CMK.
|
4310
|
+
#
|
4311
|
+
# This parameter is required only when the ciphertext was encrypted
|
4312
|
+
# under an asymmetric CMK. Otherwise, AWS KMS uses the metadata that it
|
4313
|
+
# adds to the ciphertext blob to determine which CMK was used to encrypt
|
4314
|
+
# the ciphertext. However, you can use this parameter to ensure that a
|
4315
|
+
# particular CMK (of any kind) is used to decrypt the ciphertext before
|
4316
|
+
# it is reencrypted.
|
4317
|
+
#
|
4318
|
+
# If you specify a `KeyId` value, the decrypt part of the `ReEncrypt`
|
4319
|
+
# operation succeeds only if the specified CMK was used to encrypt the
|
4320
|
+
# ciphertext.
|
4321
|
+
#
|
4322
|
+
# To specify a CMK, use its key ID, Amazon Resource Name (ARN), alias
|
4323
|
+
# name, or alias ARN. When using an alias name, prefix it with
|
4324
|
+
# `"alias/"`.
|
4325
|
+
#
|
4326
|
+
# For example:
|
4327
|
+
#
|
4328
|
+
# * Key ID: `1234abcd-12ab-34cd-56ef-1234567890ab`
|
4329
|
+
#
|
4330
|
+
# * Key ARN:
|
4331
|
+
# `arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab`
|
4332
|
+
#
|
4333
|
+
# * Alias name: `alias/ExampleAlias`
|
4334
|
+
#
|
4335
|
+
# * Alias ARN: `arn:aws:kms:us-east-2:111122223333:alias/ExampleAlias`
|
4336
|
+
#
|
4337
|
+
# To get the key ID and key ARN for a CMK, use ListKeys or DescribeKey.
|
4338
|
+
# To get the alias name and alias ARN, use ListAliases.
|
3360
4339
|
#
|
3361
4340
|
# @option params [required, String] :destination_key_id
|
3362
4341
|
# A unique identifier for the CMK that is used to reencrypt the data.
|
4342
|
+
# Specify a symmetric or asymmetric CMK with a `KeyUsage` value of
|
4343
|
+
# `ENCRYPT_DECRYPT`. To find the `KeyUsage` value of a CMK, use the
|
4344
|
+
# DescribeKey operation.
|
3363
4345
|
#
|
3364
4346
|
# To specify a CMK, use its key ID, Amazon Resource Name (ARN), alias
|
3365
4347
|
# name, or alias ARN. When using an alias name, prefix it with
|
@@ -3381,7 +4363,46 @@ module Aws::KMS
|
|
3381
4363
|
# To get the alias name and alias ARN, use ListAliases.
|
3382
4364
|
#
|
3383
4365
|
# @option params [Hash<String,String>] :destination_encryption_context
|
3384
|
-
#
|
4366
|
+
# Specifies that encryption context to use when the reencrypting the
|
4367
|
+
# data.
|
4368
|
+
#
|
4369
|
+
# A destination encryption context is valid only when the destination
|
4370
|
+
# CMK is a symmetric CMK. The standard ciphertext format for asymmetric
|
4371
|
+
# CMKs does not include fields for metadata.
|
4372
|
+
#
|
4373
|
+
# An *encryption context* is a collection of non-secret key-value pairs
|
4374
|
+
# that represents additional authenticated data. When you use an
|
4375
|
+
# encryption context to encrypt data, you must specify the same (an
|
4376
|
+
# exact case-sensitive match) encryption context to decrypt the data. An
|
4377
|
+
# encryption context is optional when encrypting with a symmetric CMK,
|
4378
|
+
# but it is highly recommended.
|
4379
|
+
#
|
4380
|
+
# For more information, see [Encryption Context][1] in the *AWS Key
|
4381
|
+
# Management Service Developer Guide*.
|
4382
|
+
#
|
4383
|
+
#
|
4384
|
+
#
|
4385
|
+
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#encrypt_context
|
4386
|
+
#
|
4387
|
+
# @option params [String] :source_encryption_algorithm
|
4388
|
+
# Specifies the encryption algorithm that AWS KMS will use to decrypt
|
4389
|
+
# the ciphertext before it is reencrypted. The default value,
|
4390
|
+
# `SYMMETRIC_DEFAULT`, represents the algorithm used for symmetric CMKs.
|
4391
|
+
#
|
4392
|
+
# Specify the same algorithm that was used to encrypt the ciphertext. If
|
4393
|
+
# you specify a different algorithm, the decrypt attempt fails.
|
4394
|
+
#
|
4395
|
+
# This parameter is required only when the ciphertext was encrypted
|
4396
|
+
# under an asymmetric CMK.
|
4397
|
+
#
|
4398
|
+
# @option params [String] :destination_encryption_algorithm
|
4399
|
+
# Specifies the encryption algorithm that AWS KMS will use to reecrypt
|
4400
|
+
# the data after it has decrypted it. The default value,
|
4401
|
+
# `SYMMETRIC_DEFAULT`, represents the encryption algorithm used for
|
4402
|
+
# symmetric CMKs.
|
4403
|
+
#
|
4404
|
+
# This parameter is required only when the destination CMK is an
|
4405
|
+
# asymmetric CMK.
|
3385
4406
|
#
|
3386
4407
|
# @option params [Array<String>] :grant_tokens
|
3387
4408
|
# A list of grant tokens.
|
@@ -3398,6 +4419,8 @@ module Aws::KMS
|
|
3398
4419
|
# * {Types::ReEncryptResponse#ciphertext_blob #ciphertext_blob} => String
|
3399
4420
|
# * {Types::ReEncryptResponse#source_key_id #source_key_id} => String
|
3400
4421
|
# * {Types::ReEncryptResponse#key_id #key_id} => String
|
4422
|
+
# * {Types::ReEncryptResponse#source_encryption_algorithm #source_encryption_algorithm} => String
|
4423
|
+
# * {Types::ReEncryptResponse#destination_encryption_algorithm #destination_encryption_algorithm} => String
|
3401
4424
|
#
|
3402
4425
|
#
|
3403
4426
|
# @example Example: To reencrypt data
|
@@ -3423,10 +4446,13 @@ module Aws::KMS
|
|
3423
4446
|
# source_encryption_context: {
|
3424
4447
|
# "EncryptionContextKey" => "EncryptionContextValue",
|
3425
4448
|
# },
|
4449
|
+
# source_key_id: "KeyIdType",
|
3426
4450
|
# destination_key_id: "KeyIdType", # required
|
3427
4451
|
# destination_encryption_context: {
|
3428
4452
|
# "EncryptionContextKey" => "EncryptionContextValue",
|
3429
4453
|
# },
|
4454
|
+
# source_encryption_algorithm: "SYMMETRIC_DEFAULT", # accepts SYMMETRIC_DEFAULT, RSAES_OAEP_SHA_1, RSAES_OAEP_SHA_256
|
4455
|
+
# destination_encryption_algorithm: "SYMMETRIC_DEFAULT", # accepts SYMMETRIC_DEFAULT, RSAES_OAEP_SHA_1, RSAES_OAEP_SHA_256
|
3430
4456
|
# grant_tokens: ["GrantTokenType"],
|
3431
4457
|
# })
|
3432
4458
|
#
|
@@ -3435,6 +4461,8 @@ module Aws::KMS
|
|
3435
4461
|
# resp.ciphertext_blob #=> String
|
3436
4462
|
# resp.source_key_id #=> String
|
3437
4463
|
# resp.key_id #=> String
|
4464
|
+
# resp.source_encryption_algorithm #=> String, one of "SYMMETRIC_DEFAULT", "RSAES_OAEP_SHA_1", "RSAES_OAEP_SHA_256"
|
4465
|
+
# resp.destination_encryption_algorithm #=> String, one of "SYMMETRIC_DEFAULT", "RSAES_OAEP_SHA_1", "RSAES_OAEP_SHA_256"
|
3438
4466
|
#
|
3439
4467
|
# @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/ReEncrypt AWS API Documentation
|
3440
4468
|
#
|
@@ -3591,9 +4619,9 @@ module Aws::KMS
|
|
3591
4619
|
# [Deleting Customer Master Keys][3] in the *AWS Key Management Service
|
3592
4620
|
# Developer Guide*.
|
3593
4621
|
#
|
3594
|
-
# The
|
3595
|
-
# details, see [How Key State Affects Use of a Customer
|
3596
|
-
# in the *AWS Key Management Service Developer Guide*.
|
4622
|
+
# The CMK that you use for this operation must be in a compatible key
|
4623
|
+
# state. For details, see [How Key State Affects Use of a Customer
|
4624
|
+
# Master Key][4] in the *AWS Key Management Service Developer Guide*.
|
3597
4625
|
#
|
3598
4626
|
#
|
3599
4627
|
#
|
@@ -3665,6 +4693,138 @@ module Aws::KMS
|
|
3665
4693
|
req.send_request(options)
|
3666
4694
|
end
|
3667
4695
|
|
4696
|
+
# Creates a [digital signature][1] for a message or message digest by
|
4697
|
+
# using the private key in an asymmetric CMK. To verify the signature,
|
4698
|
+
# use the Verify operation, or use the public key in the same asymmetric
|
4699
|
+
# CMK outside of AWS KMS. For information about symmetric and asymmetric
|
4700
|
+
# CMKs, see [Using Symmetric and Asymmetric CMKs][2] in the *AWS Key
|
4701
|
+
# Management Service Developer Guide*.
|
4702
|
+
#
|
4703
|
+
# Digital signatures are generated and verified by using asymmetric key
|
4704
|
+
# pair, such as an RSA or ECC pair that is represented by an asymmetric
|
4705
|
+
# customer master key (CMK). The key owner (or an authorized user) uses
|
4706
|
+
# their private key to sign a message. Anyone with the public key can
|
4707
|
+
# verify that the message was signed with that particular private key
|
4708
|
+
# and that the message hasn't changed since it was signed.
|
4709
|
+
#
|
4710
|
+
# To use the `Sign` operation, provide the following information:
|
4711
|
+
#
|
4712
|
+
# * Use the `KeyId` parameter to identify an asymmetric CMK with a
|
4713
|
+
# `KeyUsage` value of `SIGN_VERIFY`. To get the `KeyUsage` value of a
|
4714
|
+
# CMK, use the DescribeKey operation. The caller must have `kms:Sign`
|
4715
|
+
# permission on the CMK.
|
4716
|
+
#
|
4717
|
+
# * Use the `Message` parameter to specify the message or message digest
|
4718
|
+
# to sign. You can submit messages of up to 4096 bytes. To sign a
|
4719
|
+
# larger message, generate a hash digest of the message, and then
|
4720
|
+
# provide the hash digest in the `Message` parameter. To indicate
|
4721
|
+
# whether the message is a full message or a digest, use the
|
4722
|
+
# `MessageType` parameter.
|
4723
|
+
#
|
4724
|
+
# * Choose a signing algorithm that is compatible with the CMK.
|
4725
|
+
#
|
4726
|
+
# When signing a message, be sure to record the CMK and the signing
|
4727
|
+
# algorithm. This information is required to verify the signature.
|
4728
|
+
#
|
4729
|
+
# To verify the signature that this operation generates, use the Verify
|
4730
|
+
# operation. Or use the GetPublicKey operation to download the public
|
4731
|
+
# key and then use the public key to verify the signature outside of AWS
|
4732
|
+
# KMS.
|
4733
|
+
#
|
4734
|
+
# The CMK that you use for this operation must be in a compatible key
|
4735
|
+
# state. For details, see [How Key State Affects Use of a Customer
|
4736
|
+
# Master Key][3] in the *AWS Key Management Service Developer Guide*.
|
4737
|
+
#
|
4738
|
+
#
|
4739
|
+
#
|
4740
|
+
# [1]: https://en.wikipedia.org/wiki/Digital_signature
|
4741
|
+
# [2]: https://docs.aws.amazon.com/kms/latest/developerguide/symmetric-asymmetric.html
|
4742
|
+
# [3]: https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html
|
4743
|
+
#
|
4744
|
+
# @option params [required, String] :key_id
|
4745
|
+
# Identifies an asymmetric CMK. AWS KMS uses the private key in the
|
4746
|
+
# asymmetric CMK to sign the message. The `KeyUsage` type of the CMK
|
4747
|
+
# must be `SIGN_VERIFY`. To find the `KeyUsage` of a CMK, use the
|
4748
|
+
# DescribeKey operation.
|
4749
|
+
#
|
4750
|
+
# To specify a CMK, use its key ID, Amazon Resource Name (ARN), alias
|
4751
|
+
# name, or alias ARN. When using an alias name, prefix it with
|
4752
|
+
# `"alias/"`. To specify a CMK in a different AWS account, you must use
|
4753
|
+
# the key ARN or alias ARN.
|
4754
|
+
#
|
4755
|
+
# For example:
|
4756
|
+
#
|
4757
|
+
# * Key ID: `1234abcd-12ab-34cd-56ef-1234567890ab`
|
4758
|
+
#
|
4759
|
+
# * Key ARN:
|
4760
|
+
# `arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab`
|
4761
|
+
#
|
4762
|
+
# * Alias name: `alias/ExampleAlias`
|
4763
|
+
#
|
4764
|
+
# * Alias ARN: `arn:aws:kms:us-east-2:111122223333:alias/ExampleAlias`
|
4765
|
+
#
|
4766
|
+
# To get the key ID and key ARN for a CMK, use ListKeys or DescribeKey.
|
4767
|
+
# To get the alias name and alias ARN, use ListAliases.
|
4768
|
+
#
|
4769
|
+
# @option params [required, String, IO] :message
|
4770
|
+
# Specifies the message or message digest to sign. Messages can be
|
4771
|
+
# 0-4096 bytes. To sign a larger message, provide the message digest.
|
4772
|
+
#
|
4773
|
+
# If you provide a message, AWS KMS generates a hash digest of the
|
4774
|
+
# message and then signs it.
|
4775
|
+
#
|
4776
|
+
# @option params [String] :message_type
|
4777
|
+
# Tells AWS KMS whether the value of the `Message` parameter is a
|
4778
|
+
# message or message digest. To indicate a message, enter `RAW`. To
|
4779
|
+
# indicate a message digest, enter `DIGEST`.
|
4780
|
+
#
|
4781
|
+
# @option params [Array<String>] :grant_tokens
|
4782
|
+
# A list of grant tokens.
|
4783
|
+
#
|
4784
|
+
# For more information, see [Grant Tokens][1] in the *AWS Key Management
|
4785
|
+
# Service Developer Guide*.
|
4786
|
+
#
|
4787
|
+
#
|
4788
|
+
#
|
4789
|
+
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#grant_token
|
4790
|
+
#
|
4791
|
+
# @option params [required, String] :signing_algorithm
|
4792
|
+
# Specifies the signing algorithm to use when signing the message.
|
4793
|
+
#
|
4794
|
+
# Choose an algorithm that is compatible with the type and size of the
|
4795
|
+
# specified asymmetric CMK.
|
4796
|
+
#
|
4797
|
+
# @return [Types::SignResponse] Returns a {Seahorse::Client::Response response} object which responds to the following methods:
|
4798
|
+
#
|
4799
|
+
# * {Types::SignResponse#key_id #key_id} => String
|
4800
|
+
# * {Types::SignResponse#signature #signature} => String
|
4801
|
+
# * {Types::SignResponse#signing_algorithm #signing_algorithm} => String
|
4802
|
+
#
|
4803
|
+
# @example Request syntax with placeholder values
|
4804
|
+
#
|
4805
|
+
# resp = client.sign({
|
4806
|
+
# key_id: "KeyIdType", # required
|
4807
|
+
# message: "data", # required
|
4808
|
+
# message_type: "RAW", # accepts RAW, DIGEST
|
4809
|
+
# grant_tokens: ["GrantTokenType"],
|
4810
|
+
# signing_algorithm: "RSASSA_PSS_SHA_256", # required, accepts RSASSA_PSS_SHA_256, RSASSA_PSS_SHA_384, RSASSA_PSS_SHA_512, RSASSA_PKCS1_V1_5_SHA_256, RSASSA_PKCS1_V1_5_SHA_384, RSASSA_PKCS1_V1_5_SHA_512, ECDSA_SHA_256, ECDSA_SHA_384, ECDSA_SHA_512
|
4811
|
+
# })
|
4812
|
+
#
|
4813
|
+
# @example Response structure
|
4814
|
+
#
|
4815
|
+
# resp.key_id #=> String
|
4816
|
+
# resp.signature #=> String
|
4817
|
+
# resp.signing_algorithm #=> String, one of "RSASSA_PSS_SHA_256", "RSASSA_PSS_SHA_384", "RSASSA_PSS_SHA_512", "RSASSA_PKCS1_V1_5_SHA_256", "RSASSA_PKCS1_V1_5_SHA_384", "RSASSA_PKCS1_V1_5_SHA_512", "ECDSA_SHA_256", "ECDSA_SHA_384", "ECDSA_SHA_512"
|
4818
|
+
#
|
4819
|
+
# @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/Sign AWS API Documentation
|
4820
|
+
#
|
4821
|
+
# @overload sign(params = {})
|
4822
|
+
# @param [Hash] params ({})
|
4823
|
+
def sign(params = {}, options = {})
|
4824
|
+
req = build_request(:sign, params)
|
4825
|
+
req.send_request(options)
|
4826
|
+
end
|
4827
|
+
|
3668
4828
|
# Adds or edits tags for a customer master key (CMK). You cannot perform
|
3669
4829
|
# this operation on a CMK in a different AWS account.
|
3670
4830
|
#
|
@@ -3679,9 +4839,9 @@ module Aws::KMS
|
|
3679
4839
|
# see [User-Defined Tag Restrictions][1] in the *AWS Billing and Cost
|
3680
4840
|
# Management User Guide*.
|
3681
4841
|
#
|
3682
|
-
# The
|
3683
|
-
# details, see [How Key State Affects Use of a Customer
|
3684
|
-
# in the *AWS Key Management Service Developer Guide*.
|
4842
|
+
# The CMK that you use for this operation must be in a compatible key
|
4843
|
+
# state. For details, see [How Key State Affects Use of a Customer
|
4844
|
+
# Master Key][2] in the *AWS Key Management Service Developer Guide*.
|
3685
4845
|
#
|
3686
4846
|
#
|
3687
4847
|
#
|
@@ -3750,9 +4910,9 @@ module Aws::KMS
|
|
3750
4910
|
# To remove a tag, specify the tag key. To change the tag value of an
|
3751
4911
|
# existing tag key, use TagResource.
|
3752
4912
|
#
|
3753
|
-
# The
|
3754
|
-
# details, see [How Key State Affects Use of a Customer
|
3755
|
-
# in the *AWS Key Management Service Developer Guide*.
|
4913
|
+
# The CMK that you use for this operation must be in a compatible key
|
4914
|
+
# state. For details, see [How Key State Affects Use of a Customer
|
4915
|
+
# Master Key][1] in the *AWS Key Management Service Developer Guide*.
|
3756
4916
|
#
|
3757
4917
|
#
|
3758
4918
|
#
|
@@ -3806,14 +4966,22 @@ module Aws::KMS
|
|
3806
4966
|
req.send_request(options)
|
3807
4967
|
end
|
3808
4968
|
|
3809
|
-
# Associates an existing alias with a different customer master
|
3810
|
-
# (CMK). Each
|
3811
|
-
#
|
4969
|
+
# Associates an existing AWS KMS alias with a different customer master
|
4970
|
+
# key (CMK). Each alias is associated with only one CMK at a time,
|
4971
|
+
# although a CMK can have multiple aliases. The alias and the CMK must
|
4972
|
+
# be in the same AWS account and region. You cannot perform this
|
3812
4973
|
# operation on an alias in a different AWS account.
|
3813
4974
|
#
|
3814
|
-
#
|
3815
|
-
#
|
3816
|
-
#
|
4975
|
+
# The current and new CMK must be the same type (both symmetric or both
|
4976
|
+
# asymmetric), and they must have the same key usage (`ENCRYPT_DECRYPT`
|
4977
|
+
# or `SIGN_VERIFY`). This restriction prevents errors in code that uses
|
4978
|
+
# aliases. If you must assign an alias to a different type of CMK, use
|
4979
|
+
# DeleteAlias to delete the old alias and CreateAlias to create a new
|
4980
|
+
# alias.
|
4981
|
+
#
|
4982
|
+
# You cannot use `UpdateAlias` to change an alias name. To change an
|
4983
|
+
# alias name, use DeleteAlias to delete the old alias and CreateAlias to
|
4984
|
+
# create a new alias.
|
3817
4985
|
#
|
3818
4986
|
# Because an alias is not a property of a CMK, you can create, update,
|
3819
4987
|
# and delete the aliases of a CMK without affecting the CMK. Also,
|
@@ -3821,29 +4989,28 @@ module Aws::KMS
|
|
3821
4989
|
# To get the aliases of all CMKs in the account, use the ListAliases
|
3822
4990
|
# operation.
|
3823
4991
|
#
|
3824
|
-
# The
|
3825
|
-
#
|
3826
|
-
#
|
3827
|
-
# cannot begin with `alias/aws/`. The `alias/aws/` prefix is reserved
|
3828
|
-
# for [AWS managed CMKs][1].
|
4992
|
+
# The CMK that you use for this operation must be in a compatible key
|
4993
|
+
# state. For details, see [How Key State Affects Use of a Customer
|
4994
|
+
# Master Key][1] in the *AWS Key Management Service Developer Guide*.
|
3829
4995
|
#
|
3830
|
-
# The result of this operation varies with the key state of the CMK. For
|
3831
|
-
# details, see [How Key State Affects Use of a Customer Master Key][2]
|
3832
|
-
# in the *AWS Key Management Service Developer Guide*.
|
3833
4996
|
#
|
3834
4997
|
#
|
3835
|
-
#
|
3836
|
-
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#aws-managed-cmk
|
3837
|
-
# [2]: https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html
|
4998
|
+
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html
|
3838
4999
|
#
|
3839
5000
|
# @option params [required, String] :alias_name
|
3840
|
-
#
|
3841
|
-
# `alias/` followed by the alias name, such as
|
5001
|
+
# Identifies the alias that is changing its CMK. This value must begin
|
5002
|
+
# with `alias/` followed by the alias name, such as
|
5003
|
+
# `alias/ExampleAlias`. You cannot use UpdateAlias to change the alias
|
5004
|
+
# name.
|
3842
5005
|
#
|
3843
5006
|
# @option params [required, String] :target_key_id
|
3844
|
-
#
|
3845
|
-
#
|
3846
|
-
#
|
5007
|
+
# Identifies the CMK to associate with the alias. When the update
|
5008
|
+
# operation completes, the alias will point to this CMK.
|
5009
|
+
#
|
5010
|
+
# The CMK must be in the same AWS account and Region as the alias. Also,
|
5011
|
+
# the new target CMK must be the same type as the current target CMK
|
5012
|
+
# (both symmetric or both asymmetric) and they must have the same key
|
5013
|
+
# usage.
|
3847
5014
|
#
|
3848
5015
|
# Specify the key ID or the Amazon Resource Name (ARN) of the CMK.
|
3849
5016
|
#
|
@@ -3994,9 +5161,9 @@ module Aws::KMS
|
|
3994
5161
|
#
|
3995
5162
|
# You cannot perform this operation on a CMK in a different AWS account.
|
3996
5163
|
#
|
3997
|
-
# The
|
3998
|
-
# details, see [How Key State Affects Use of a Customer
|
3999
|
-
# in the *AWS Key Management Service Developer Guide*.
|
5164
|
+
# The CMK that you use for this operation must be in a compatible key
|
5165
|
+
# state. For details, see [How Key State Affects Use of a Customer
|
5166
|
+
# Master Key][1] in the *AWS Key Management Service Developer Guide*.
|
4000
5167
|
#
|
4001
5168
|
#
|
4002
5169
|
#
|
@@ -4047,6 +5214,133 @@ module Aws::KMS
|
|
4047
5214
|
req.send_request(options)
|
4048
5215
|
end
|
4049
5216
|
|
5217
|
+
# Verifies a digital signature that was generated by the Sign operation.
|
5218
|
+
#
|
5219
|
+
#
|
5220
|
+
#
|
5221
|
+
# Verification confirms that an authorized user signed the message with
|
5222
|
+
# the specified CMK and signing algorithm, and the message hasn't
|
5223
|
+
# changed since it was signed. If the signature is verified, the value
|
5224
|
+
# of the `SignatureValid` field in the response is `True`. If the
|
5225
|
+
# signature verification fails, the `Verify` operation fails with an
|
5226
|
+
# `KMSInvalidSignatureException` exception.
|
5227
|
+
#
|
5228
|
+
# A digital signature is generated by using the private key in an
|
5229
|
+
# asymmetric CMK. The signature is verified by using the public key in
|
5230
|
+
# the same asymmetric CMK. For information about symmetric and
|
5231
|
+
# asymmetric CMKs, see [Using Symmetric and Asymmetric CMKs][1] in the
|
5232
|
+
# *AWS Key Management Service Developer Guide*.
|
5233
|
+
#
|
5234
|
+
# To verify a digital signature, you can use the `Verify` operation.
|
5235
|
+
# Specify the same asymmetric CMK, message, and signing algorithm that
|
5236
|
+
# were used to produce the signature.
|
5237
|
+
#
|
5238
|
+
# You can also verify the digital signature by using the public key of
|
5239
|
+
# the CMK outside of AWS KMS. Use the GetPublicKey operation to download
|
5240
|
+
# the public key in the asymmetric CMK and then use the public key to
|
5241
|
+
# verify the signature outside of AWS KMS. The advantage of using the
|
5242
|
+
# `Verify` operation is that it is performed within AWS KMS. As a
|
5243
|
+
# result, it's easy to call, the operation is performed within the FIPS
|
5244
|
+
# boundary, it is logged in AWS CloudTrail, and you can use key policy
|
5245
|
+
# and IAM policy to determine who is authorized to use the CMK to verify
|
5246
|
+
# signatures.
|
5247
|
+
#
|
5248
|
+
# The CMK that you use for this operation must be in a compatible key
|
5249
|
+
# state. For details, see [How Key State Affects Use of a Customer
|
5250
|
+
# Master Key][2] in the *AWS Key Management Service Developer Guide*.
|
5251
|
+
#
|
5252
|
+
#
|
5253
|
+
#
|
5254
|
+
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/symmetric-asymmetric.html
|
5255
|
+
# [2]: https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html
|
5256
|
+
#
|
5257
|
+
# @option params [required, String] :key_id
|
5258
|
+
# Identifies the asymmetric CMK that will be used to verify the
|
5259
|
+
# signature. This must be the same CMK that was used to generate the
|
5260
|
+
# signature. If you specify a different CMK, the signature verification
|
5261
|
+
# fails.
|
5262
|
+
#
|
5263
|
+
# To specify a CMK, use its key ID, Amazon Resource Name (ARN), alias
|
5264
|
+
# name, or alias ARN. When using an alias name, prefix it with
|
5265
|
+
# `"alias/"`. To specify a CMK in a different AWS account, you must use
|
5266
|
+
# the key ARN or alias ARN.
|
5267
|
+
#
|
5268
|
+
# For example:
|
5269
|
+
#
|
5270
|
+
# * Key ID: `1234abcd-12ab-34cd-56ef-1234567890ab`
|
5271
|
+
#
|
5272
|
+
# * Key ARN:
|
5273
|
+
# `arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab`
|
5274
|
+
#
|
5275
|
+
# * Alias name: `alias/ExampleAlias`
|
5276
|
+
#
|
5277
|
+
# * Alias ARN: `arn:aws:kms:us-east-2:111122223333:alias/ExampleAlias`
|
5278
|
+
#
|
5279
|
+
# To get the key ID and key ARN for a CMK, use ListKeys or DescribeKey.
|
5280
|
+
# To get the alias name and alias ARN, use ListAliases.
|
5281
|
+
#
|
5282
|
+
# @option params [required, String, IO] :message
|
5283
|
+
# Specifies the message that was signed, or a hash digest of that
|
5284
|
+
# message. Messages can be 0-4096 bytes. To verify a larger message,
|
5285
|
+
# provide a hash digest of the message.
|
5286
|
+
#
|
5287
|
+
# If the digest of the message specified here is different from the
|
5288
|
+
# message digest that was signed, the signature verification fails.
|
5289
|
+
#
|
5290
|
+
# @option params [String] :message_type
|
5291
|
+
# Tells AWS KMS whether the value of the `Message` parameter is a
|
5292
|
+
# message or message digest. To indicate a message, enter `RAW`. To
|
5293
|
+
# indicate a message digest, enter `DIGEST`.
|
5294
|
+
#
|
5295
|
+
# @option params [required, String, IO] :signature
|
5296
|
+
# The signature that the `Sign` operation generated.
|
5297
|
+
#
|
5298
|
+
# @option params [required, String] :signing_algorithm
|
5299
|
+
# The signing algorithm that was used to sign the message. If you submit
|
5300
|
+
# a different algorithm, the signature verification fails.
|
5301
|
+
#
|
5302
|
+
# @option params [Array<String>] :grant_tokens
|
5303
|
+
# A list of grant tokens.
|
5304
|
+
#
|
5305
|
+
# For more information, see [Grant Tokens][1] in the *AWS Key Management
|
5306
|
+
# Service Developer Guide*.
|
5307
|
+
#
|
5308
|
+
#
|
5309
|
+
#
|
5310
|
+
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#grant_token
|
5311
|
+
#
|
5312
|
+
# @return [Types::VerifyResponse] Returns a {Seahorse::Client::Response response} object which responds to the following methods:
|
5313
|
+
#
|
5314
|
+
# * {Types::VerifyResponse#key_id #key_id} => String
|
5315
|
+
# * {Types::VerifyResponse#signature_valid #signature_valid} => Boolean
|
5316
|
+
# * {Types::VerifyResponse#signing_algorithm #signing_algorithm} => String
|
5317
|
+
#
|
5318
|
+
# @example Request syntax with placeholder values
|
5319
|
+
#
|
5320
|
+
# resp = client.verify({
|
5321
|
+
# key_id: "KeyIdType", # required
|
5322
|
+
# message: "data", # required
|
5323
|
+
# message_type: "RAW", # accepts RAW, DIGEST
|
5324
|
+
# signature: "data", # required
|
5325
|
+
# signing_algorithm: "RSASSA_PSS_SHA_256", # required, accepts RSASSA_PSS_SHA_256, RSASSA_PSS_SHA_384, RSASSA_PSS_SHA_512, RSASSA_PKCS1_V1_5_SHA_256, RSASSA_PKCS1_V1_5_SHA_384, RSASSA_PKCS1_V1_5_SHA_512, ECDSA_SHA_256, ECDSA_SHA_384, ECDSA_SHA_512
|
5326
|
+
# grant_tokens: ["GrantTokenType"],
|
5327
|
+
# })
|
5328
|
+
#
|
5329
|
+
# @example Response structure
|
5330
|
+
#
|
5331
|
+
# resp.key_id #=> String
|
5332
|
+
# resp.signature_valid #=> Boolean
|
5333
|
+
# resp.signing_algorithm #=> String, one of "RSASSA_PSS_SHA_256", "RSASSA_PSS_SHA_384", "RSASSA_PSS_SHA_512", "RSASSA_PKCS1_V1_5_SHA_256", "RSASSA_PKCS1_V1_5_SHA_384", "RSASSA_PKCS1_V1_5_SHA_512", "ECDSA_SHA_256", "ECDSA_SHA_384", "ECDSA_SHA_512"
|
5334
|
+
#
|
5335
|
+
# @see http://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/Verify AWS API Documentation
|
5336
|
+
#
|
5337
|
+
# @overload verify(params = {})
|
5338
|
+
# @param [Hash] params ({})
|
5339
|
+
def verify(params = {}, options = {})
|
5340
|
+
req = build_request(:verify, params)
|
5341
|
+
req.send_request(options)
|
5342
|
+
end
|
5343
|
+
|
4050
5344
|
# @!endgroup
|
4051
5345
|
|
4052
5346
|
# @param params ({})
|
@@ -4060,7 +5354,7 @@ module Aws::KMS
|
|
4060
5354
|
params: params,
|
4061
5355
|
config: config)
|
4062
5356
|
context[:gem_name] = 'aws-sdk-kms'
|
4063
|
-
context[:gem_version] = '1.
|
5357
|
+
context[:gem_version] = '1.27.0'
|
4064
5358
|
Seahorse::Client::Request.new(handlers, context)
|
4065
5359
|
end
|
4066
5360
|
|